1 files changed, 46 insertions, 0 deletions

diff --git a/prebuilts/api/32.0/public/uncrypt.te b/prebuilts/api/32.0/public/uncrypt.te
new file mode 100644
index 000000000..3b04671b2
--- /dev/null
+++ b/prebuilts/api/32.0/public/uncrypt.te
@@ -0,0 +1,46 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, system_file_type, exec_type, file_type;
+
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
+
+userdebug_or_eng(`
+  # For debugging, allow /data/local/tmp access
+  r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+  proc_bootconfig
+  proc_cmdline
+
+}:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)