All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it. Of course we cannot truly
test until it is released into AOSP, but this prepares the way
and potentially allows for internal testing and collection of denials.
Change-Id: I800ab23baee1c84b7c4cf7399b17611a62ca6804
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
