23f336156d
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
20 lines
793 B
Text
20 lines
793 B
Text
# Process which creates/updates shared RELRO files to be used by other apps.
|
|
type shared_relro, domain;
|
|
|
|
# The shared relro process is a Java program forked from the zygote, so it
|
|
# inherits from app to get basic permissions it needs to run.
|
|
app_domain(shared_relro)
|
|
|
|
# Grant write access to the shared relro files/directory.
|
|
allow shared_relro shared_relro_file:dir rw_dir_perms;
|
|
allow shared_relro shared_relro_file:file create_file_perms;
|
|
|
|
# Needs to contact the "webviewupdate" and "activity" services
|
|
allow shared_relro system_server_service:service_manager find;
|
|
allow shared_relro tmp_system_server_service:service_manager find;
|
|
|
|
service_manager_local_audit_domain(shared_relro)
|
|
auditallow shared_relro {
|
|
tmp_system_server_service
|
|
-webviewupdate_service
|
|
}:service_manager find;
|