Merge tag 'android-15.0.0_r10' of https://android.googlesource.com/platform/system/sepolicy into HEAD
Android 15.0.0 release 10
Change-Id: I692fc0d2bef64099f99933e75faedddc30e99f04
# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ32Y9wAKCRDorT+BmrEO
# eGyxAJ9Ln35Ltvr7mTrR/O/uTDSpJDRTywCfc8TLiq41wnupjl6R3gb71zZqxNQ=
# =tq8k
# -----END PGP SIGNATURE-----
# gpg: Signature faite le mar 07 jan 2025 16:13:27 EST
# gpg: avec la clef DSA 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Impossible de vérifier la signature : Pas de clef publique
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 8bdf01b..359e4ba 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -546,6 +546,8 @@
cmd.Text(" || true; }") // no match doesn't fail the cmd
}
cmd.Text(" > ").Output(permissiveDomains)
+ rule.Command().Text("sed").FlagWithArg("-i ", "'/backuptool/d'").Input(permissiveDomains)
+ rule.Command().Text("sed").FlagWithArg("-i ", "'/recovery/d'").Input(permissiveDomains)
rule.Temporary(permissiveDomains)
msg := `==========\n` +
diff --git a/prebuilts/api/202404/private/domain.te b/prebuilts/api/202404/private/domain.te
index 66bce05..e3d884a 100644
--- a/prebuilts/api/202404/private/domain.te
+++ b/prebuilts/api/202404/private/domain.te
@@ -495,6 +495,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/202404/private/gsid.te b/prebuilts/api/202404/private/gsid.te
index 9391016..7477bbe 100644
--- a/prebuilts/api/202404/private/gsid.te
+++ b/prebuilts/api/202404/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/202404/public/app.te b/prebuilts/api/202404/public/app.te
index b539913..1dbcfbb 100644
--- a/prebuilts/api/202404/public/app.te
+++ b/prebuilts/api/202404/public/app.te
@@ -157,7 +157,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/202404/public/domain.te b/prebuilts/api/202404/public/domain.te
index 0a2a5e5..b1d888c 100644
--- a/prebuilts/api/202404/public/domain.te
+++ b/prebuilts/api/202404/public/domain.te
@@ -375,6 +375,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -493,19 +494,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1102,6 +1104,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/30.0/private/gsid.te b/prebuilts/api/30.0/private/gsid.te
index 3ff9d67..aec3a52 100644
--- a/prebuilts/api/30.0/private/gsid.te
+++ b/prebuilts/api/30.0/private/gsid.te
@@ -144,6 +144,7 @@
-fastbootd
-recovery
-vold
+ -update_engine
} gsi_metadata_file:dir *;
neverallow {
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index c892d9e..04e7bdd 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -516,7 +516,7 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -platform_app -priv_app -shell } kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index c151b95..a69e358 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -473,20 +473,21 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -init -coredomain } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -630,6 +631,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1151,6 +1153,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te
index b91d36d..d97cd2b 100644
--- a/prebuilts/api/31.0/private/domain.te
+++ b/prebuilts/api/31.0/private/domain.te
@@ -338,6 +338,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/31.0/private/gsid.te b/prebuilts/api/31.0/private/gsid.te
index 8a13cb1..da200bd 100644
--- a/prebuilts/api/31.0/private/gsid.te
+++ b/prebuilts/api/31.0/private/gsid.te
@@ -166,6 +166,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
index 5527f99..7b8a95a 100644
--- a/prebuilts/api/31.0/public/app.te
+++ b/prebuilts/api/31.0/public/app.te
@@ -534,7 +534,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index 799a2f1..6dffaa1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -493,19 +493,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -642,6 +643,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1141,6 +1143,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/32.0/private/domain.te b/prebuilts/api/32.0/private/domain.te
index b91d36d..d97cd2b 100644
--- a/prebuilts/api/32.0/private/domain.te
+++ b/prebuilts/api/32.0/private/domain.te
@@ -338,6 +338,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/32.0/private/gsid.te b/prebuilts/api/32.0/private/gsid.te
index 8a13cb1..da200bd 100644
--- a/prebuilts/api/32.0/private/gsid.te
+++ b/prebuilts/api/32.0/private/gsid.te
@@ -166,6 +166,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/32.0/public/app.te b/prebuilts/api/32.0/public/app.te
index 5527f99..7b8a95a 100644
--- a/prebuilts/api/32.0/public/app.te
+++ b/prebuilts/api/32.0/public/app.te
@@ -534,7 +534,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/32.0/public/domain.te b/prebuilts/api/32.0/public/domain.te
index 799a2f1..6dffaa1 100644
--- a/prebuilts/api/32.0/public/domain.te
+++ b/prebuilts/api/32.0/public/domain.te
@@ -493,19 +493,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -642,6 +643,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1141,6 +1143,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index bcb9d52..f99bb52 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -389,6 +389,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/33.0/private/gsid.te b/prebuilts/api/33.0/private/gsid.te
index e795cea..e4117a2 100644
--- a/prebuilts/api/33.0/private/gsid.te
+++ b/prebuilts/api/33.0/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/33.0/public/app.te b/prebuilts/api/33.0/public/app.te
index de3d0ca..6327f38 100644
--- a/prebuilts/api/33.0/public/app.te
+++ b/prebuilts/api/33.0/public/app.te
@@ -166,7 +166,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index de529f5..8727355 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -386,6 +386,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -500,19 +501,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -630,6 +632,7 @@
# system services cant add vendor services
neverallow {
coredomain
+ -update_engine
} vendor_service:service_manager add;
full_treble_only(`
@@ -1116,6 +1119,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index f98a285..fb45a9d 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -466,6 +466,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/prebuilts/api/34.0/private/gsid.te b/prebuilts/api/34.0/private/gsid.te
index 9391016..7477bbe 100644
--- a/prebuilts/api/34.0/private/gsid.te
+++ b/prebuilts/api/34.0/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
diff --git a/prebuilts/api/34.0/public/app.te b/prebuilts/api/34.0/public/app.te
index da59f32..1c24cea 100644
--- a/prebuilts/api/34.0/public/app.te
+++ b/prebuilts/api/34.0/public/app.te
@@ -156,7 +156,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index d4be205..03955e3 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -361,6 +361,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -475,19 +476,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1084,6 +1086,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
diff --git a/private/app.te b/private/app.te
index 6362c7d..e0ed877 100644
--- a/private/app.te
+++ b/private/app.te
@@ -654,7 +654,8 @@
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+neverallow { appdomain -system_app -shell -platform_app -priv_app }
+ kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } *:security { compute_av check_context };
diff --git a/private/domain.te b/private/domain.te
index e9cc7f5..fe10001 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -619,6 +619,7 @@
-init
-ueventd
-vold
+ -recovery
} self:global_capability_class_set mknod;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
@@ -737,19 +738,20 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -update_engine
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -update_engine -coredomain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery -update_engine } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -1343,6 +1345,7 @@
-toolbox # TODO(b/141108496) We want to remove toolbox
-installd # for relabelfrom and unlink, check for this in explicit neverallow
-vold_prepare_subdirs # For unlink
+ -update_engine
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -1914,6 +1917,7 @@
vold
vold_prepare_subdirs
zygote
+ update_engine
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
diff --git a/private/gsid.te b/private/gsid.te
index 9391016..7477bbe 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -173,6 +173,7 @@
-init
-gsid
-fastbootd
+ -update_engine
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {