From 2806bc4f0cc1cde0120bf5cbe451f14ac945de73 Mon Sep 17 00:00:00 2001
From: Matt Mower <mowerm@gmail.com>
Date: Fri, 19 Dec 2014 10:45:10 -0600
Subject: [PATCH] sepolicy: Additional filesystem perms for recovery

Change-Id: I66c785de7256ea64302a258af7c33cb717530343
---
 sepolicy/recovery.te | 8 ++++++--
 sepolicy/vold.te     | 5 +++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 87d24120..af76917b 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -15,11 +15,15 @@ allow recovery system_data_file:file r_file_perms;
 
 # Manage fstab and /adb_keys
 allow recovery rootfs:file create_file_perms;
-allow recovery rootfs:dir { write add_name };
+allow recovery rootfs:dir { write create rmdir add_name remove_name };
 
-# Read /data/media files and directories
+# Read storage files and directories
 allow recovery media_rw_data_file:dir r_dir_perms;
 allow recovery media_rw_data_file:file r_file_perms;
+allow recovery vfat:dir r_dir_perms;
+allow recovery vfat:file r_file_perms;
+allow recovery sdcard_posix:dir r_dir_perms;
+allow recovery sdcard_posix:file r_file_perms;
 
 # Control properties
 allow recovery recovery_prop:property_service set;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index b54b6e9e..acdc7af4 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -8,3 +8,8 @@ allow vold fuse_device:chr_file rw_file_perms;
 
 # NTFS-3g wants to drop permission
 allow vold self:capability { setgid setuid };
+
+# Vold can also run as minivold in the rootfs
+recovery_only(`
+  allow vold rootfs:dir { add_name write };
+')