Merge "Sepolicy: Give zygote rights needed for A/B OTAs" into nyc-dev
diff --git a/service_contexts b/service_contexts
index 747369e..ec1194b 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,7 +2,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
-android.os.IUpdateEngine u:object_r:update_engine_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
diff --git a/untrusted_app.te b/untrusted_app.te
index d864424..89dbfdd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -154,3 +154,21 @@
# Do not allow untrusted_app to set system properties.
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app property_type:property_service set;
+
+# Do not allow untrusted_app to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow untrusted_app {
+ fs_type
+ -fuse # sdcard
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
diff --git a/update_engine.te b/update_engine.te
index 3fbfd8a..39b9936 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -33,3 +33,6 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+
+# Allow read/write bootctrl block device.
+allow update_engine bootctrl_block_device:blk_file rw_file_perms;