1 files changed, 7 insertions, 0 deletions

diff --git a/install/install.cpp b/install/install.cpp
index 1b220cb39..6e74f80ab 100644
--- a/install/install.cpp
+++ b/install/install.cpp
@@ -47,6 +47,7 @@
 #include <android-base/unique_fd.h>
 
 #include "install/package.h"
+#include "install/spl_check.h"
 #include "install/verifier.h"
 #include "install/wipe_data.h"
 #include "otautil/error_code.h"
@@ -348,6 +349,12 @@ static InstallResult TryUpdateBinary(Package* package, bool* wipe_cache,
       android::base::GetBoolProperty("ro.virtual_ab.allow_non_ab", false);
   bool device_only_supports_ab = device_supports_ab && !ab_device_supports_nonab;
 
+  const auto current_spl = android::base::GetProperty("ro.build.version.security_patch", "");
+  if (ViolatesSPLDowngrade(zip, current_spl)) {
+    LOG(ERROR) << "Denying OTA because it's SPL downgrade";
+    return INSTALL_ERROR;
+  }
+
   if (package_is_ab) {
     CHECK(package->GetType() == PackageType::kFile);
   }