606d2fd665
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
28 lines
920 B
Text
28 lines
920 B
Text
type fingerprintd, domain, domain_deprecated;
|
|
type fingerprintd_exec, exec_type, file_type;
|
|
|
|
binder_use(fingerprintd)
|
|
|
|
# Scan through /system/lib64/hw looking for installed HALs
|
|
allow fingerprintd system_file:dir r_dir_perms;
|
|
|
|
# need to find KeyStore and add self
|
|
add_service(fingerprintd, fingerprintd_service)
|
|
|
|
# allow HAL module to read dir contents
|
|
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
|
|
|
|
# allow HAL module to read/write/unlink contents of this dir
|
|
allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(fingerprintd)
|
|
allow fingerprintd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
binder_call(fingerprintd, system_server);
|
|
allow fingerprintd permission_service:service_manager find;
|
|
|
|
r_dir_file(fingerprintd, cgroup)
|
|
r_dir_file(fingerprintd, sysfs_type)
|
|
allow fingerprintd ion_device:chr_file r_file_perms;
|