Merge "Only allow toolbox exec where /system exec was already allowed."
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
index e831432..36243af 100644
--- a/sepolicy/bluetooth_loader.te
+++ b/sepolicy/bluetooth_loader.te
@@ -25,3 +25,4 @@
# Allow getprop/setprop for init.mako.bt.sh
allow bluetooth_loader system_file:file execute_no_trans;
+allow bluetooth_loader toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/conn_init.te b/sepolicy/conn_init.te
index 6491888..d5ff650 100644
--- a/sepolicy/conn_init.te
+++ b/sepolicy/conn_init.te
@@ -20,3 +20,4 @@
# init.mako.wifi.sh runs toolbox
allow conn_init system_file:file execute_no_trans;
+allow conn_init toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te
index 93091cb..05be3d5 100644
--- a/sepolicy/kickstart.te
+++ b/sepolicy/kickstart.te
@@ -28,6 +28,7 @@
# Run dd from toolbox on firmware files
allow kickstart shell_exec:file rx_file_perms;
allow kickstart system_file:file execute_no_trans;
+allow kickstart toolbox_exec:file rx_file_perms;
# Wake lock access
wakelock_use(kickstart)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 37f85f6..c9b512e 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -31,5 +31,9 @@
# Runs /system/bin/ip addr flush dev <device> commands.
allow netmgrd system_file:file rx_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow netmgrd toolbox_exec:file rx_file_perms;
+auditallow netmgrd toolbox_exec:file rx_file_perms;
+
allow netmgrd proc_net:file r_file_perms;
allow netmgrd proc_net:dir r_dir_perms;