Merge "SELinux policy for new managed system update APIs"

private/system_server.te

@@ -190,6 +190,7 @@ binder_call(system_server, incidentd)
 binder_call(system_server, netd)
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
+binder_call(system_server, update_engine)
 binder_call(system_server, vold)
 binder_call(system_server, wificond)
 binder_call(system_server, wpantund)
@@ -344,6 +345,10 @@ allow system_server audio_device:chr_file rw_file_perms;
 allow system_server tun_device:chr_file rw_file_perms;
 allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
 
+# Manage data/ota_package
+allow system_server ota_package_file:dir rw_dir_perms;
+allow system_server ota_package_file:file create_file_perms;
+
 # Manage system data files.
 allow system_server system_data_file:dir create_dir_perms;
 allow system_server system_data_file:notdevfile_class_set create_file_perms;
@@ -680,6 +685,7 @@ allow system_server stats_service:service_manager find;
 allow system_server thermal_service:service_manager find;
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
+allow system_server update_engine_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 userdebug_or_eng(`

public/update_engine.te

@@ -39,6 +39,9 @@ add_service(update_engine, update_engine_service)
 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)
 
+# Allow update_engine to call the callback function provided by system_server.
+binder_call(update_engine, system_server)
+
 # Read OTA zip file at /data/ota_package/.
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;