606d2fd665
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
16 lines
401 B
Text
16 lines
401 B
Text
# inputflinger
|
|
type inputflinger, domain;
|
|
type inputflinger_exec, exec_type, file_type;
|
|
|
|
binder_use(inputflinger)
|
|
binder_service(inputflinger)
|
|
|
|
binder_call(inputflinger, system_server)
|
|
|
|
wakelock_use(inputflinger)
|
|
|
|
add_service(inputflinger, inputflinger_service)
|
|
allow inputflinger input_device:dir r_dir_perms;
|
|
allow inputflinger input_device:chr_file rw_file_perms;
|
|
|
|
r_dir_file(inputflinger, cgroup)
|