2 files changed, 10 insertions, 8 deletions

diff --git a/common/private/backuptool.te b/common/private/backuptool.te
new file mode 100644
index 0000000..f5a9b2d
--- /dev/null
+++ b/common/private/backuptool.te
@@ -0,0 +1,5 @@
+type backuptool, domain, coredomain;
+
+permissive backuptool;
+
+neverallow { domain -update_engine } backuptool:process transition;
diff --git a/common/private/update_engine.te b/common/private/update_engine.te
index 309699a..c257b03 100644
--- a/common/private/update_engine.te
+++ b/common/private/update_engine.te
@@ -1,13 +1,10 @@
-allow update_engine self:capability { dac_override dac_read_search sys_rawio };
-
+# Read updates from storage data
 r_dir_file(update_engine, mnt_user_file)
 r_dir_file(update_engine, storage_file)
 
-allow update_engine self:capability { chown fsetid sys_rawio };
-
+# Allow mount and unmount of system partition
 allow update_engine labeledfs:filesystem { mount unmount };
 
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;
-allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;
-allow update_engine { rootfs system_file }:file { relabelfrom relabelto };
+# Allow transition to backuptool domain
+allow update_engine self:process setexec;
+domain_trans(update_engine, otapreopt_chroot_exec, backuptool)