platform_system_sepolicy/private/permissioncontroller_app.te
Hai Zhang 04db97a72d Add SELinux policy for legacy permission service.
The updatable and non-updatable permission manager cannot share one
AIDL, so we need to create a new system service for the non-updatable
legacy one, and add the SELinux policy for it.

Bug: 158736025
Test: presubmit
Change-Id: Ief8da6335e5bfb17d915d707cf48f4a43332f6ae
2020-12-04 14:43:33 -08:00

42 lines
2 KiB
Text

###
### A domain for further sandboxing the GooglePermissionController app.
###
type permissioncontroller_app, domain, coredomain;
app_domain(permissioncontroller_app)
# Allow interaction with gpuservice
binder_call(permissioncontroller_app, gpuservice)
allow permissioncontroller_app gpu_service:service_manager find;
# Allow interaction with role_service
allow permissioncontroller_app role_service:service_manager find;
# Allow interaction with usagestats_service
allow permissioncontroller_app usagestats_service:service_manager find;
# Allow interaction with activity_service
allow permissioncontroller_app activity_service:service_manager find;
# Allow interaction with legacy_permission_service
allow permissioncontroller_app legacy_permission_service:service_manager find;
allow permissioncontroller_app activity_task_service:service_manager find;
allow permissioncontroller_app audio_service:service_manager find;
allow permissioncontroller_app autofill_service:service_manager find;
allow permissioncontroller_app content_capture_service:service_manager find;
allow permissioncontroller_app device_policy_service:service_manager find;
allow permissioncontroller_app incidentcompanion_service:service_manager find;
allow permissioncontroller_app IProxyService_service:service_manager find;
allow permissioncontroller_app location_service:service_manager find;
allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app radio_service:service_manager find;
allow permissioncontroller_app surfaceflinger_service:service_manager find;
allow permissioncontroller_app telecom_service:service_manager find;
allow permissioncontroller_app trust_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };