This change is primarily a revert of 611c3d70a
Commit 611c3d70a "Move hal_bootctl rules to hal_bootctl_default"
breaks sideloading OTAs. It was introduced to fix a CTS regression
due to overly broad access to the vendor-owned misc_block partition.
The change also did a refactor of permissions for the bootctl HAL.
The fix leaves the one-line CTS fix in place and reverts the rest of
the refactor. This results in no change in permissions for the recovery
process which is already granted access to the misc_block partion in
core policy. "allow recovery dev_type:blk_file rw_file_perms;"
Bug: 69566734
Test: adb sideload ota
Change-Id: I67504482b166e1cf278be213e42bfde2ddfa6e67
diff --git a/sepolicy/vendor/hal_bootctl.te b/sepolicy/vendor/hal_bootctl.te
new file mode 100644
index 0000000..da24b79
--- /dev/null
+++ b/sepolicy/vendor/hal_bootctl.te
@@ -0,0 +1,31 @@
+# These are the permissions required to use the boot_control HAL implemented
+# here: hardware/qcom/bootctrl/boot_control.c
+
+# Getting and setting GPT attributes for the bootloader iterates over all the
+# partition names in the block_device directory /dev/block/.../by-name
+allow hal_bootctl block_device:dir r_dir_perms;
+
+# Edit the attributes stored in the GPT.
+allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
+allow hal_bootctl ab_block_device:blk_file getattr;
+allow hal_bootctl boot_block_device:blk_file rw_file_perms;
+allow hal_bootctl modem_block_device:blk_file getattr;
+allow hal_bootctl system_block_device:blk_file getattr;
+allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
+
+# Access /dev/sgN devices (generic SCSI) to write the
+# A/B slot selection for the XBL partition. Allow also to issue a
+# UFS_IOCTL_QUERY ioctl.
+allow hal_bootctl sg_device:chr_file rw_file_perms;
+allow hal_bootctl self:capability sys_admin;
+allow hal_bootctl tmpfs:lnk_file r_file_perms;
+
+# Read the sysfs to lookup what /dev/sgN device
+# corresponds to the XBL partitions.
+allow hal_bootctl sysfs:dir r_dir_perms;
+
+# Write to the XBL devices.
+allow hal_bootctl xbl_block_device:blk_file rw_file_perms;
+
+# Expose a socket for brokered boot message access for hal_oemlock.
+allow hal_bootctl hal_bootctl_socket:sock_file create_file_perms;
diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te
deleted file mode 100644
index 09a0089..0000000
--- a/sepolicy/vendor/hal_bootctl_default.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# These are the permissions required to use the boot_control HAL implemented
-# here: hardware/qcom/bootctrl/boot_control.c
-
-# Getting and setting GPT attributes for the bootloader iterates over all the
-# partition names in the block_device directory /dev/block/.../by-name
-allow hal_bootctl_default block_device:dir r_dir_perms;
-
-# Edit the attributes stored in the GPT.
-allow hal_bootctl_default gpt_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default ab_block_device:blk_file getattr;
-allow hal_bootctl_default boot_block_device:blk_file rw_file_perms;
-allow hal_bootctl_default modem_block_device:blk_file getattr;
-allow hal_bootctl_default system_block_device:blk_file getattr;
-allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
-
-# Access /dev/sgN devices (generic SCSI) to write the
-# A/B slot selection for the XBL partition. Allow also to issue a
-# UFS_IOCTL_QUERY ioctl.
-allow hal_bootctl_default sg_device:chr_file rw_file_perms;
-allow hal_bootctl_default self:capability sys_admin;
-allow hal_bootctl_default tmpfs:lnk_file r_file_perms;
-
-# Read the sysfs to lookup what /dev/sgN device
-# corresponds to the XBL partitions.
-allow hal_bootctl_default sysfs:dir r_dir_perms;
-
-# Write to the XBL devices.
-allow hal_bootctl_default xbl_block_device:blk_file rw_file_perms;
-
-# Expose a socket for brokered boot message access for hal_oemlock.
-allow hal_bootctl_default hal_bootctl_socket:sock_file create_file_perms;
