Merge "Sepolicy for dumsys suspend_control in bugreport"
diff --git a/apex/Android.bp b/apex/Android.bp
index 2347bc2..53303c6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -77,6 +77,13 @@
}
filegroup {
+ name: "com.android.geotz-file_contexts",
+ srcs: [
+ "com.android.geotz-file_contexts",
+ ],
+}
+
+filegroup {
name: "com.android.gki-file_contexts",
srcs: [
"com.android.gki-file_contexts",
diff --git a/apex/com.android.geotz-file_contexts b/apex/com.android.geotz-file_contexts
new file mode 100644
index 0000000..1918e73
--- /dev/null
+++ b/apex/com.android.geotz-file_contexts
@@ -0,0 +1,4 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
diff --git a/private/app.te b/private/app.te
index ab9cf3c..dacea29 100644
--- a/private/app.te
+++ b/private/app.te
@@ -59,3 +59,6 @@
# Allow to read persist.config.calibration_fac
get_prop(appdomain, camera_calibration_prop)
+
+# Allow to read db.log.detailed, db.log.slow_query_threshold*
+get_prop(appdomain, sqlite_log_prop)
diff --git a/private/attributes b/private/attributes
index e01b212..3d18d71 100644
--- a/private/attributes
+++ b/private/attributes
@@ -1 +1,6 @@
hal_attribute(lazy_test);
+
+# This is applied to apps on vendor images with SDK <=30 only,
+# to exempt them from recent mls changes. It must not be applied
+# to any domain on newer system or vendor image.
+attribute mlsvendorcompat;
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 30af58c..2e85b23 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -3,3 +3,9 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index af4da8a..ccd9d1a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,9 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
+
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9cc23b4..49a5a77 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1302,6 +1302,7 @@
build_config_prop
init_service_status_private_prop
setupwizard_prop
+ sqlite_log_prop
verity_status_prop
zygote_wrap_prop
))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 628abfc..97c5874 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1 +1,10 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+
+;; TODO: Once 30.0 is no longer supported for vendor images,
+;; mlsvendorcompat can be completely from the system policy.
+(typeattributeset mlsvendorcompat (and appdomain vendordomain))
+(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
+(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
+(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 4e7d20d..78b7929 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -8,7 +8,9 @@
ab_update_gki_prop
adbd_config_prop
apex_info_file
+ cgroup_desc_api_file
cgroup_v2
+ ctl_snapuserd_prop
debugfs_kprobes
device_config_profcollect_native_boot_prop
device_state_service
@@ -45,6 +47,7 @@
sysfs_devices_cs_etm
system_server_dumper_service
system_suspend_control_internal_service
+ task_profiles_api_file
update_engine_stable_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 3450010..fe3e1ae 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -12,6 +12,7 @@
get_prop(coredomain, pm_prop)
get_prop(coredomain, radio_control_prop)
get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, sqlite_log_prop)
get_prop(coredomain, storagemanager_config_prop)
get_prop(coredomain, surfaceflinger_color_prop)
get_prop(coredomain, systemsound_config_prop)
diff --git a/private/domain.te b/private/domain.te
index 5cc313a..84fa107 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -57,6 +57,7 @@
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
+allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -437,3 +438,9 @@
-vndk_sp_file
}:file *;
')
+
+# mlsvendorcompat is only for compatibility support for older vendor
+# images, and should not be granted to any domain in current policy.
+# (Every domain is allowed self:fork, so this will trigger if the
+# intsersection of domain & mlsvendorcompat is not empty.)
+neverallow domain mlsvendorcompat:process fork;
diff --git a/private/file_contexts b/private/file_contexts
index abd9ad0..d39b349 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -94,7 +94,7 @@
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dm-user/.+ u:object_r:dm_user_device:s0
+/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
@@ -322,6 +322,7 @@
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
+/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -339,6 +340,7 @@
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
+/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index b30ee6c..de5f37e 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -11,6 +11,8 @@
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
+set_prop(flags_health_check, device_config_statsd_native_prop)
+set_prop(flags_health_check, device_config_statsd_native_boot_prop)
set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
diff --git a/private/mls b/private/mls
index 593b316..0e0995c 100644
--- a/private/mls
+++ b/private/mls
@@ -74,7 +74,8 @@
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
diff --git a/private/property.te b/private/property.te
index 9a600cf..480d3e3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,6 +1,9 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_statsd_native_prop)
+system_internal_prop(device_config_statsd_native_boot_prop)
system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
system_internal_prop(device_config_window_manager_native_boot_prop)
@@ -524,3 +527,13 @@
-dumpstate
-vendor_init
} build_config_prop:file no_rw_file_perms;
+
+neverallow {
+ -init
+ -shell
+} sqlite_log_prop:property_service set;
+
+neverallow {
+ -coredomain
+ -appdomain
+} sqlite_log_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 576887b..18f6412 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -172,6 +172,11 @@
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+# Restrict access to control snapuserd
+ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
+ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -224,6 +229,8 @@
persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
+persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
@@ -1026,6 +1033,8 @@
graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
+ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
+
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
@@ -1070,3 +1079,7 @@
setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
+
+db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
+db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
+db.log.slow_query_threshold.* u:object_r:sqlite_log_prop:s0 prefix int
diff --git a/private/shell.te b/private/shell.te
index b4d3505..0e94cd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -127,6 +127,7 @@
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
+set_prop(shell, ctl_snapuserd_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
@@ -164,3 +165,6 @@
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };
+
+# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
+set_prop(shell, sqlite_log_prop)
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 4632240..99ee90f 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -1,4 +1,6 @@
# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
@@ -12,4 +14,5 @@
allow snapuserd dm_device:blk_file rw_file_perms;
# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
diff --git a/private/statsd.te b/private/statsd.te
index 1483156..444d82e 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -21,3 +21,7 @@
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
+
+# Allow statsd to read its system properties
+get_prop(statsd, device_config_statsd_native_prop)
+get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/private/system_server.te b/private/system_server.te
index a60c327..78abdff 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -627,6 +627,8 @@
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
set_prop(system_server, device_config_profcollect_native_boot_prop)
+set_prop(system_server, device_config_statsd_native_prop)
+set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
diff --git a/private/update_engine.te b/private/update_engine.te
index a33e675..8e09154 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -9,6 +9,9 @@
# Allow to start gsid service.
set_prop(update_engine, ctl_gsid_prop)
+# Allow to start snapuserd for dm-user communication.
+set_prop(update_engine, ctl_snapuserd_prop)
+
# Allow to set the OTA related properties, e.g. ota.warm_reset.
set_prop(update_engine, ota_prop)
@@ -17,3 +20,7 @@
# Allow update_engine to call the callback function provided by GKI update hook.
binder_call(update_engine, gki_apex_prepostinstall)
+
+# Allow to communicate with the snapuserd service, for dm-user snapshots.
+allow update_engine snapuserd:unix_stream_socket connectto;
+allow update_engine snapuserd_socket:sock_file write;
diff --git a/public/domain.te b/public/domain.te
index d4f5a85..d4274e1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1039,6 +1039,7 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
+ -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
diff --git a/public/file.te b/public/file.te
index 782ea40..021779c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -183,10 +183,14 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
+# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
+type cgroup_desc_api_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
+# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
+type task_profiles_api_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
diff --git a/public/init.te b/public/init.te
index 805d9c2..0bbeb29 100644
--- a/public/init.te
+++ b/public/init.te
@@ -27,7 +27,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device }:dir relabelto;
+allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
@@ -123,6 +123,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
+allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
# /config
diff --git a/public/property.te b/public/property.te
index cb3b91d..4afc2a0 100644
--- a/public/property.te
+++ b/public/property.te
@@ -77,6 +77,7 @@
system_restricted_prop(restorecon_prop)
system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
+system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
diff --git a/public/shell.te b/public/shell.te
index fa9079c..1e73e49 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -122,6 +122,9 @@
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
+allow shell cgroup_desc_file:file r_file_perms;
+allow shell cgroup_desc_api_file:file r_file_perms;
+allow shell vendor_cgroup_desc_file:file r_file_perms;
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/public/snapuserd.te b/public/snapuserd.te
deleted file mode 100644
index 2dd2db2..0000000
--- a/public/snapuserd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index d110238..dd90fbc 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -65,6 +65,10 @@
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
+# read /dev/dm-user, so that we can inotify wait for control devices to be
+# asynchronously created by ueventd.
+allow update_engine dm_user_device:dir r_dir_perms;
+
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;