Merge "Moving recovery resources from /system to /vendor"

private/compat/29.0/29.0.cil

@@ -1,6 +1,8 @@
 ;; types removed from current policy
 (type ashmemd)
 (type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
 (type mediacodec_service)
 (type perfprofd_data_file)
 (type perfprofd_service)

private/compat/29.0/29.0.ignore.cil

@@ -23,5 +23,7 @@
     system_passwd_file
     vendor_apex_file
     vendor_boringssl_self_test
+    vendor_install_recovery
+    vendor_install_recovery_exec
     virtual_ab_prop
     wifi_stack_service))

private/file_contexts

@@ -284,7 +284,6 @@
 /system/bin/cppreopts\.sh   u:object_r:cppreopts_exec:s0
 /system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
 /system/bin/dex2oat(d)?     u:object_r:dex2oat_exec:s0
 /system/bin/dexoptanalyzer(d)?     u:object_r:dexoptanalyzer_exec:s0
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
@@ -367,6 +366,8 @@
 
 /(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
 
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
 #############################
 # OEM and ODM files
 #

private/install_recovery.te

@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)

public/install_recovery.te

@@ -1,21 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;

vendor/vendor_install_recovery.te

@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;