Merge "bootstat: Fix the SELinux policy after removing domain_deprecated."
diff --git a/priv_app.te b/priv_app.te
index dc792e8..68b588c 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -72,6 +72,10 @@
allow priv_app sysfs_zram:dir search;
allow priv_app sysfs_zram:file r_file_perms;
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
###
### neverallow rules
###
diff --git a/service.te b/service.te
index bac387f..70bb34c 100644
--- a/service.te
+++ b/service.te
@@ -11,6 +11,7 @@
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
+type update_engine_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 85dcd3d..4116383 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
+android.os.IUpdateEngine u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 5d1199d..fbe1dd0 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -38,12 +38,8 @@
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
-# Use open file provided by bootanim.
-allow surfaceflinger bootanim:fd use;
-
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
diff --git a/system_app.te b/system_app.te
index 8589a9d..5e66acd 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,6 @@
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-# Read /data/misc/keychain subdirectory.
-allow system_app keychain_data_file:dir r_dir_perms;
-allow system_app keychain_data_file:file r_file_perms;
-
# Read and write to /data/misc/user.
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
diff --git a/system_server.te b/system_server.te
index d0cb229..eae67ed 100644
--- a/system_server.te
+++ b/system_server.te
@@ -443,6 +443,12 @@
allow system_server vold:fd use;
allow system_server fuse_device:chr_file { read write ioctl };
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
###
### Neverallow rules
###
diff --git a/update_engine.te b/update_engine.te
index ea7fcaf..3fbfd8a 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -26,3 +26,10 @@
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+allow update_engine update_engine_service:service_manager { add };
+
+# Allow update_engine to call the callback function provided by priv_app.
+binder_call(update_engine, priv_app)