23f0f3b28a
This change adds the SEPolicy changes required to support the remote provisioning flow. The notable additions are specifically labeling the remote provisioning app and giving it access to find the remote provisioning service which is added in keystore. It also requires network access in order to communicate to the provisioning servers. This functionality is extremely narrow to the point that it seems worth it to define a separate domain for this app, rather than add this in to the priv_app or platform_app permission files. Since this app also communicates with the network, it also seems advantageous to limit its permissions only to what is absolutely necessary to perform its function. Test: No denials! Change-Id: I602c12365a575d914afc91f55e6a9b6aa2e14189
10 lines
230 B
Text
10 lines
230 B
Text
type remote_prov_app, domain;
|
|
typeattribute remote_prov_app coredomain;
|
|
|
|
app_domain(remote_prov_app)
|
|
net_domain(remote_prov_app)
|
|
|
|
allow remote_prov_app {
|
|
activity_service
|
|
remoteprovisioning_service
|
|
}:service_manager find;
|