22194ac50f
private/domain.te neverallows misc_block_device access for all but a few domains, and the check always compiles as a user build, so the custom domain failed the sepolicy_neverallows gate. hal_bootctl_server (the other exempt candidate) is out: hal_neverallows.te forbids HAL domains from exec'ing vendor sh/toybox, and the chain-loader is a shell script. So use AOSP's vendor_misc_writer — the domain built for vendor tools touching misc — adding BCB read-back, vendor shell/toybox exec, the /metadata attempt counter, sys.powerctl, and kmsg logging on top of the write access system policy already grants.