Add neverallow rule for set_context_mgr.

Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb
2014-12-05 14:30:30 -08:00 · 2014-12-05 14:30:30 -08:00 · 76f3fe33d7
commit 76f3fe33d7
parent 0be02b360f
1 changed files with 3 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -329,3 +329,6 @@ neverallow { domain -recovery } system_block_device:blk_file write;

 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+
+# Only servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager } *:binder set_context_mgr;