sepolicy: Permissions for userinit

Change-Id: Icaf9d191841a6214925729e40d84a61a2ebf2296

3 files changed, 12 insertions, 0 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7999ccd9..4f82c380 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -12,6 +12,7 @@
 /system/bin/sysinit       u:object_r:sysinit_exec:s0
 
 /system/etc/init.d/90userinit           u:object_r:userinit_exec:s0
+/data/local/userinit.sh                 u:object_r:userinit_data_exec:s0
 
 # For minivold in recovery
 /sbin/minivold            u:object_r:vold_exec:s0
diff --git a/sepolicy/sysinit.te b/sepolicy/sysinit.te
index dea539e8..6fd0b856 100644
--- a/sepolicy/sysinit.te
+++ b/sepolicy/sysinit.te
@@ -9,3 +9,13 @@ allow sysinit shell_exec:file { rx_file_perms };
 allow sysinit system_file:file { rx_file_perms };
 allow sysinit self:process setcurrent;
 
+userdebug_or_eng(`
+    allow sysinit userinit_data_exec:file { r_file_perms relabelto };
+    allow sysinit property_socket:sock_file write;
+    allow sysinit init:unix_stream_socket connectto;
+    allow sysinit userinit_prop:property_service set;
+    allow sysinit sysfs:file rw_file_perms;
+    allow sysinit sysfs_devices_system_cpu:file write;
+    allow sysinit self:capability dac_override;
+    allow sysinit userinit_exec:file { rx_file_perms };
+')
diff --git a/sepolicy/userinit.te b/sepolicy/userinit.te
index caddb086..74072877 100644
--- a/sepolicy/userinit.te
+++ b/sepolicy/userinit.te
@@ -1,3 +1,4 @@
 type userinit_exec, exec_type, file_type;
+type userinit_data_exec, file_type;
 
 allow userinit_exec userinit_prop:property_service set;