Merge "selinux rules for codec process" into nyc-dev
diff --git a/service_contexts b/service_contexts
index 125a54f..fe58082 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,7 +2,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
-android.os.IUpdateEngine u:object_r:update_engine_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
diff --git a/untrusted_app.te b/untrusted_app.te
index 33a6171..2077e83 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -155,3 +155,21 @@
# Do not allow untrusted_app to set system properties.
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app property_type:property_service set;
+
+# Do not allow untrusted_app to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow untrusted_app {
+ fs_type
+ -fuse # sdcard
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
diff --git a/update_engine.te b/update_engine.te
index 3fbfd8a..39b9936 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -33,3 +33,6 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+
+# Allow read/write bootctrl block device.
+allow update_engine bootctrl_block_device:blk_file rw_file_perms;
diff --git a/zygote.te b/zygote.te
index 67fd621..2255804 100644
--- a/zygote.te
+++ b/zygote.te
@@ -81,6 +81,28 @@
')
###
+### A/B OTA
+###
+
+# The zygote is responsible for detecting A/B OTA artifacts and moving them into
+# the actual dalvik-cache.
+
+# Allow zygote access to files in /data/ota.
+# This includes reading symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot
+# images, where the oat file is symlinked to the original file in /system.
+r_dir_file(zygote, ota_data_file)
+
+# The zygote renames the OTA dalvik-cache to the regular dalvik-cache.
+allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
+
+# And needs to relabel the entries, so as to have the dalvikcache_data_file label.
+allow zygote ota_data_file:{ dir file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file } relabelto;
+
+# The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+allow zygote ota_data_file:dir rmdir;
+
+###
### neverallow rules
###
