Fixup union sepolicy
This change solve two issue:
1) Policies related to recovery should be only included in recovery
policy
2) In CM trees the sepolicy dir was always bootable/recovery-
twrp/sepolicy, even if recovery path was bootable/recovery
Change-Id: I9466d22293074ba5f5240abe8b97a5d1bf30982d
diff --git a/Android.mk b/Android.mk
index 9dc31a5..47c4aa1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -17,7 +17,7 @@
ifdef project-path-for
ifeq ($(LOCAL_PATH),$(call project-path-for,recovery))
PROJECT_PATH_AGREES := true
- BOARD_SEPOLICY_DIRS += bootable/recovery-twrp/sepolicy
+ BOARD_SEPOLICY_DIRS += $(call project-path-for,recovery)/sepolicy
endif
else
ifeq ($(LOCAL_PATH),bootable/recovery)
diff --git a/sepolicy/twrp.te b/sepolicy/twrp.te
index 3ebdc4b..d81b9e1 100644
--- a/sepolicy/twrp.te
+++ b/sepolicy/twrp.te
@@ -1 +1,4 @@
-permissive recovery;
+recovery_only(`
+ # Allow recovery to set permissive mode
+ permissive recovery;
+')