Merge "Re-introduce camera_device type" into nyc-dev
diff --git a/attributes b/attributes
index 485b3e9..1160a95 100644
--- a/attributes
+++ b/attributes
@@ -67,6 +67,9 @@
# used by device specific properties
attribute core_property_type;
+# All properties used to configure log filtering.
+attribute log_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
@@ -100,3 +103,8 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+
+# All domains that access the boot_control HAL. The permissions the HAL
+# requires are specific to the implementation provided in each device, but
+# common daemons need to be aware of those when calling into the HAL.
+attribute boot_control_hal;
diff --git a/audioserver.te b/audioserver.te
index ea7f6d9..da12649 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -51,3 +51,5 @@
# domain transition
neverallow audioserver { file_type fs_type }:file execute_no_trans;
+# audioserver should never need network access. Disallow network sockets.
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/boot_control_hal.te b/boot_control_hal.te
new file mode 100644
index 0000000..2a670b3
--- /dev/null
+++ b/boot_control_hal.te
@@ -0,0 +1,2 @@
+# Allow read/write bootctrl block device, if one is defined.
+allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/cameraserver.te b/cameraserver.te
index 6520969..4f50f8d 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -34,3 +34,6 @@
# cameraserver should never execute any executable without a
# domain transition
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# cameraserver should never need network access. Disallow network sockets.
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/dex2oat.te b/dex2oat.te
index abdaceb..48daac3 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -22,7 +22,10 @@
##################
# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat otapreopt:fd use;
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir getattr;
+
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
allow dex2oat ota_data_file:file r_file_perms;
diff --git a/domain.te b/domain.te
index 9b2024b..8ff05a5 100644
--- a/domain.te
+++ b/domain.te
@@ -84,6 +84,9 @@
# For now, everyone can access core property files
# Device specific properties are not granted by default
get_prop(domain, core_property_type)
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
dontaudit domain property_type:file audit_access;
allow domain property_contexts:file r_file_perms;
@@ -165,8 +168,18 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -uncrypt -tee } self:capability sys_rawio;
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+} self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
@@ -347,7 +360,7 @@
-init # TODO: limit init to relabelfrom for files
-zygote
-installd
- -otapreopt
+ -postinstall_dexopt
-dex2oat
} dalvikcache_data_file:file no_w_file_perms;
@@ -355,7 +368,7 @@
domain
-init
-installd
- -otapreopt
+ -postinstall_dexopt
-dex2oat
-zygote
} dalvikcache_data_file:dir no_w_dir_perms;
diff --git a/dumpstate.te b/dumpstate.te
index 5095ecd..ebc0d67 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -70,7 +70,8 @@
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain autoplay_app })
+binder_call(dumpstate, { appdomain autoplay_app netd })
+
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
@@ -123,7 +124,7 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/file_contexts b/file_contexts
index b3e4e93..75edcc9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -174,7 +174,7 @@
/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt u:object_r:otapreopt_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
diff --git a/installd.te b/installd.te
index f4ea424..0e64041 100644
--- a/installd.te
+++ b/installd.te
@@ -73,7 +73,9 @@
domain_auto_trans(installd, idmap_exec, idmap)
# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_exec, otapreopt)
+domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
+# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
+allow installd postinstall_dexopt:process sigchld;
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
diff --git a/ioctl_defines b/ioctl_defines
index 97bdcc1..5b65b2d 100644
--- a/ioctl_defines
+++ b/ioctl_defines
@@ -732,6 +732,7 @@
define(`SIOCDIFADDR', `0x00008936')
define(`SIOCSIFHWBROADCAST', `0x00008937')
define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCKILLADDR', `0x00008939')
define(`SIOCGIFBR', `0x00008940')
define(`SIOCSIFBR', `0x00008941')
define(`SIOCGIFTXQLEN', `0x00008942')
@@ -767,8 +768,36 @@
define(`SIOCSHWTSTAMP', `0x000089b0')
define(`SIOCGHWTSTAMP', `0x000089b1')
define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
define(`SIOCPROTOPRIVLAST', `0x000089ef')
define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
define(`SIOCDEVPRIVLAST', `0x000089ff')
define(`SIOCIWFIRST', `0x00008b00')
define(`SIOCSIWCOMMIT', `0x00008b00')
@@ -823,6 +852,36 @@
define(`SIOCGIWENCODEEXT', `0x00008b35')
define(`SIOCSIWPMKSA', `0x00008b36')
define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
define(`SIOCIWLASTPRIV', `0x00008bff')
define(`AUTOFS_IOC_READY', `0x00009360')
define(`AUTOFS_IOC_FAIL', `0x00009361')
diff --git a/mediacodec.te b/mediacodec.te
index adba40b..3d3625a 100644
--- a/mediacodec.te
+++ b/mediacodec.te
@@ -26,6 +26,5 @@
# domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-# mediacodec should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediacodec { domain -debuggerd -dumpstate -adbd -mediacodec -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediacodec should never need network access. Disallow network sockets.
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/mediaextractor.te b/mediaextractor.te
index 5936eb6..3ebb5b7 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -21,6 +21,5 @@
# domain transition
neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-# mediaextractor should never need network access. Disallow all sockets
-# other than those needed for normal system functions
-neverallow mediaextractor { domain -debuggerd -dumpstate -adbd -mediaextractor -logd userdebug_or_eng(`-su')}:socket_class_set *;
+# mediaextractor should never need network access. Disallow network sockets.
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/netd.te b/netd.te
index 6864ad6..0d9c047 100644
--- a/netd.te
+++ b/netd.te
@@ -60,6 +60,7 @@
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
allow netd netd_service:service_manager add;
+allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
allow netd system_server:binder call;
@@ -90,7 +91,7 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-# only system_server may interact with netd over binder
-neverallow { domain -system_server } netd_service:service_manager find;
-neverallow { domain -system_server } netd:binder call;
+# only system_server and dumpstate may interact with netd over binder
+neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/otapreopt.te b/otapreopt.te
deleted file mode 100644
index 0eada98..0000000
--- a/otapreopt.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# otapreopt executable
-type otapreopt, domain, mlstrustedsubject;
-type otapreopt_exec, exec_type, file_type;
-
-init_daemon_domain(otapreopt)
-allow otapreopt self:capability { chown dac_override fowner fsetid setgid setuid };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(otapreopt, apk_data_file)
-# Access to app oat directory.
-r_dir_file(otapreopt, dalvikcache_data_file)
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow otapreopt ota_data_file:dir create_dir_perms;
-allow otapreopt ota_data_file:file create_file_perms;
-allow otapreopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow otapreopt dalvikcache_data_file:dir { write add_name remove_name };
-allow otapreopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow otapreopt dalvikcache_data_file:dir relabelto;
-allow otapreopt dalvikcache_data_file:file { relabelto link };
-
-allow otapreopt selinuxfs:dir r_dir_perms;
-
-# Check validity of SELinux context before use.
-selinux_check_context(otapreopt)
-selinux_check_access(otapreopt)
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(otapreopt, dex2oat_exec, dex2oat)
-
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt installd:fd use;
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
new file mode 100644
index 0000000..b3f8807
--- /dev/null
+++ b/otapreopt_chroot.te
@@ -0,0 +1,14 @@
+# otapreopt_chroot executable
+type otapreopt_chroot, domain;
+type otapreopt_chroot_exec, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+
+# Allow otapreopt to use file descriptors from installd.
+allow otapreopt_chroot installd:fd use;
diff --git a/postinstall.te b/postinstall.te
index 938fcd2..5c261ef 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -22,3 +22,14 @@
# No domain other than update_engine should transition to postinstall, as it is
# only meant to run during the update.
neverallow { domain -update_engine } postinstall:process { transition dyntransition };
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
\ No newline at end of file
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
new file mode 100644
index 0000000..dbc76df
--- /dev/null
+++ b/postinstall_dexopt.te
@@ -0,0 +1,57 @@
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain;
+
+# init_daemon_domain(otapreopt)
+allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+
+allow postinstall_dexopt postinstall_file:dir getattr;
+allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+allow postinstall_dexopt selinuxfs:dir r_dir_perms;
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
+
+# installd wants to know about our child.
+allow postinstall_dexopt installd:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
diff --git a/property.te b/property.te
index 1680245..d2a238b 100644
--- a/property.te
+++ b/property.te
@@ -12,6 +12,7 @@
type system_radio_prop, property_type, core_property_type;
type system_prop, property_type, core_property_type;
type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
@@ -21,6 +22,7 @@
type ctl_bugreport_prop, property_type;
type ctl_console_prop, property_type;
type audio_prop, property_type, core_property_type;
+type log_prop, property_type, log_property_type;
type logd_prop, property_type, core_property_type;
type mmc_prop, property_type;
type restorecon_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index 1329854..70a8080 100644
--- a/property_contexts
+++ b/property_contexts
@@ -32,7 +32,8 @@
debug. u:object_r:debug_prop:s0
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
-log. u:object_r:shell_prop:s0
+log. u:object_r:log_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tcp.port u:object_r:shell_prop:s0
@@ -40,7 +41,7 @@
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
-persist.log.tag u:object_r:logd_prop:s0
+persist.log.tag u:object_r:log_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
diff --git a/shell.te b/shell.te
index a314c61..d8c6dd4 100644
--- a/shell.te
+++ b/shell.te
@@ -63,6 +63,8 @@
set_prop(shell, dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
+userdebug_or_eng(`set_prop(shell, log_prop)')
+userdebug_or_eng(`set_prop(shell, wifi_log_prop)')
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
diff --git a/system_app.te b/system_app.te
index afc2be5..b3f4b30 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,6 +31,7 @@
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_prop)
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 1d2677e..8760182 100644
--- a/system_server.te
+++ b/system_server.te
@@ -292,6 +292,8 @@
allow system_server wallpaper_file:file relabelto;
allow system_server wallpaper_file:file { rw_file_perms unlink };
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
# ShortcutManager icons
allow system_server system_data_file:dir relabelfrom;
@@ -319,6 +321,7 @@
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
set_prop(system_server, device_logging_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
set_prop(system_server, ctl_default_prop)
@@ -500,6 +503,15 @@
# Allow invoking tools like "timeout"
allow system_server toolbox_exec:file rx_file_perms;
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
###
### Neverallow rules
###
diff --git a/update_engine.te b/update_engine.te
index cf614e6..33e8134 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,5 +1,6 @@
# Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated;
+# update_engine uses the boot_control_hal.
+type update_engine, domain, domain_deprecated, boot_control_hal;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
@@ -55,6 +56,3 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
-
-# Allow read/write bootctrl block device.
-allow update_engine bootctrl_block_device:blk_file rw_file_perms;
diff --git a/update_verifier.te b/update_verifier.te
index 42567fe..65438d3 100644
--- a/update_verifier.te
+++ b/update_verifier.te
@@ -1,10 +1,8 @@
# update_verifier
-type update_verifier, domain;
+# update_verifier uses the boot_control_hal.
+type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type;
init_daemon_domain(update_verifier)
-# Raw writes to bootctrl block device
-allow update_verifier bootctrl_block_device:blk_file rw_file_perms;
-
# TODO: Add rules to allow update_verifier to read system_block_device.