f098071ac7
"nonplat" was renamed to "vendor" in Android Pie, but was retained here for Treble compatibility. We're now outside of the compatbility window for these devices so it can safely be removed. Test: atest treble_sepolicy_tests Change-Id: Iaa22af41a07b13adb7290f570db7a9d43b6e85cc
32 lines
1.1 KiB
Text
32 lines
1.1 KiB
Text
# servicemanager - the Binder context manager
|
|
type servicemanager, domain, mlstrustedsubject;
|
|
type servicemanager_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Note that we do not use the binder_* macros here.
|
|
# servicemanager is unique in that it only provides
|
|
# name service (aka context manager) for Binder.
|
|
# As such, it only ever receives and transfers other references
|
|
# created by other domains. It never passes its own references
|
|
# or initiates a Binder IPC.
|
|
allow servicemanager self:binder set_context_mgr;
|
|
allow servicemanager {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
-hwservicemanager
|
|
-vndservicemanager
|
|
}:binder transfer;
|
|
|
|
allow servicemanager service_contexts_file:file r_file_perms;
|
|
|
|
allow servicemanager vendor_service_contexts_file:file r_file_perms;
|
|
|
|
# nonplat_service_contexts only accessible on non full-treble devices
|
|
not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')
|
|
|
|
add_service(servicemanager, service_manager_service)
|
|
allow servicemanager dumpstate:fd use;
|
|
allow servicemanager dumpstate:fifo_file write;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(servicemanager)
|