344fc109e9
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
(cherry picked from commit b8511e0d98)
Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
24 lines
767 B
Text
24 lines
767 B
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
### additional following rules:
|
|
###
|
|
|
|
type isolated_app, domain;
|
|
app_domain(isolated_app)
|
|
net_domain(isolated_app)
|
|
|
|
# read and write access to app_data_file is already
|
|
# granted via app.te. Allow execute.
|
|
# Needed to allow dlopen() from Chrome renderer processes.
|
|
# See b/15902433 for details.
|
|
allow isolated_app app_data_file:file execute;
|
|
|
|
# Audited locally.
|
|
service_manager_local_audit_domain(isolated_app)
|
|
auditallow isolated_app service_manager_type:service_manager find;
|