Add sepolicy for init-firstboot
init-firstboot loops waiting for the USB cable to be removed (using
sysfs), then shuts down the device with sys.powerctl.
Bug: 110896488
Change-Id: I29078c1ed0eb4ac5061c2c0d03c06f680f276796
Merged-In: Id1dc1b3139366f6d0a9ec860270a8801bfbdcfc6
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index 4b4bf86..56c530a 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -13,6 +13,7 @@
/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service-disabled u:object_r:hal_secure_element_default_exec:s0
/vendor/bin/hw/android\.hardware\.power@1\.3-service\.bonito-libperfmgr u:object_r:hal_power_default_exec:s0
/vendor/bin/perfstatsd u:object_r:perfstatsd_exec:s0
+/vendor/bin/init\.firstboot\.sh u:object_r:init-firstboot_exec:s0
/vendor/bin/ramoops u:object_r:ramoops_exec:s0
/vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0
/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0
diff --git a/vendor/google/init-firstboot.te b/vendor/google/init-firstboot.te
new file mode 100644
index 0000000..7ca7168
--- /dev/null
+++ b/vendor/google/init-firstboot.te
@@ -0,0 +1,15 @@
+type init-firstboot, domain;
+type init-firstboot_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init-firstboot)
+
+allow init-firstboot vendor_shell_exec:file rx_file_perms;
+allow init-firstboot vendor_toolbox_exec:file rx_file_perms;
+
+# Read USB connection state
+allow init-firstboot sysfs_msm_subsys:dir search;
+r_dir_file(init-firstboot, sysfs_batteryinfo)
+
+# Set property to trigger a shutdown
+set_prop(init-firstboot, powerctl_prop)
+
