private: initial sepolicy for SHIFT-OTA

Change-Id: If674cbcf090c96e85e449c203180c59f02c6ded8
Signed-off-by: Alexander Martinz <amartinz@shiftphones.com>
diff --git a/common/private/file_contexts b/common/private/file_contexts
new file mode 100644
index 0000000..ee0d544
--- /dev/null
+++ b/common/private/file_contexts
@@ -0,0 +1,2 @@
+# OTA packages
+/data/shiftos_updates(/.*)?           u:object_r:ota_package_file:s0
diff --git a/common/private/priv_app.te b/common/private/priv_app.te
new file mode 100644
index 0000000..d1c5824
--- /dev/null
+++ b/common/private/priv_app.te
@@ -0,0 +1,7 @@
+# Allow to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir  rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
diff --git a/common/private/uncrypt.te b/common/private/uncrypt.te
new file mode 100644
index 0000000..17a9419
--- /dev/null
+++ b/common/private/uncrypt.te
@@ -0,0 +1,2 @@
+# Read and execute IOCTLs on OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:file rw_file_perms;
diff --git a/common/private/update_engine.te b/common/private/update_engine.te
new file mode 100644
index 0000000..cff9a0d
--- /dev/null
+++ b/common/private/update_engine.te
@@ -0,0 +1,3 @@
+# Read updates from storage data
+r_dir_file(update_engine, mnt_user_file)
+r_dir_file(update_engine, storage_file)
diff --git a/common/sepolicy.mk b/common/sepolicy.mk
index 863bea5..4f1a897 100644
--- a/common/sepolicy.mk
+++ b/common/sepolicy.mk
@@ -2,3 +2,6 @@
 # This policy configuration will be used by all products that
 # inherit from ShiftOS
 #
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/shift/sepolicy/common/private