Allow binder calls from system app to update engine
Allow system_app to call update engine and update engine
to call callback registered by system app.
Test: m Settings && adb install -r
$ANDROID_PRODUCT_OUT/system_ext/priv-app/Settings/Settings.apk,
Update using 16k dev option.
Bug: 295573133
Change-Id: Ice7e75f86283637ad67a675682ecd0d27038d9e7
diff --git a/private/system_app.te b/private/system_app.te
index 31e10bb..447d944 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,6 +83,12 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps (Settings) to call into update_engine
+# in order to apply update to switch from 4k kernel to 16K and vice-versa
+binder_use(system_app)
+allow system_app update_engine_stable_service:service_manager find;
+binder_call(system_app, update_engine)
+
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
diff --git a/private/update_engine.te b/private/update_engine.te
index c9511f7..862a62a 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -22,6 +22,10 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+# Allow update_engine to call the callback function by settings app
+# for the kernel update triggered using 16k developer option
+binder_call(update_engine, system_app)
+
# Allow to communicate with the snapuserd service, for dm-user snapshots.
allow update_engine snapuserd:unix_stream_socket connectto;
allow update_engine snapuserd_socket:sock_file write;