selinux: grant rx perms to toolbox_exec where needed
AOSP commit a3c97a7660ba ("Only allow toolbox exec where /system
exec was already allowed.") removed domain's rx perms to
toolbox_exec. This breaks a number of domains on bullhead. Restore
rx perms for toolbox_exec where needed.
Bug: 24341811
Change-Id: I991c66a9746a4b29f454cb7a1b5e7ba1180ed94f
diff --git a/sepolicy/bullhead-sh.te b/sepolicy/bullhead-sh.te
index 41a10db..5f21eb9 100644
--- a/sepolicy/bullhead-sh.te
+++ b/sepolicy/bullhead-sh.te
@@ -16,3 +16,6 @@
allow bullhead-sh firmware_file:dir r_dir_perms;
allow bullhead-sh shell_exec:file r_file_perms;
+
+# execute toybox/toolbox
+allow bullhead-sh toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
index 2c8aa63..03308f4 100644
--- a/sepolicy/init-power-sh.te
+++ b/sepolicy/init-power-sh.te
@@ -18,3 +18,6 @@
# and symlinks to sysfs_devices_system_cpu
allow init-power-sh sysfs:{ dir file lnk_file } relabelfrom;
allow init-power-sh sysfs_devices_system_cpu:{ dir file lnk_file } relabelto;
+
+# execute toybox/toolbox
+allow init-power-sh toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 5349e89..3da9fba 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -57,3 +57,5 @@
# talk to cnd
unix_socket_connect(netmgrd, cnd, cnd)
+# execute toybox/toolbox
+allow netmgrd toolbox_exec:file rx_file_perms;
