| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # servicemanager - the Binder context manager |
| 2 | type servicemanager, domain, mlstrustedsubject; |
| 3 | type servicemanager_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | # Note that we do not use the binder_* macros here. |
| 6 | # servicemanager is unique in that it only provides |
| 7 | # name service (aka context manager) for Binder. |
| 8 | # As such, it only ever receives and transfers other references |
| 9 | # created by other domains. It never passes its own references |
| 10 | # or initiates a Binder IPC. |
| 11 | allow servicemanager self:binder set_context_mgr; |
| 12 | allow servicemanager { |
| 13 | domain |
| 14 | -init |
| 15 | -vendor_init |
| 16 | -hwservicemanager |
| 17 | -vndservicemanager |
| 18 | }:binder transfer; |
| 19 | |
| 20 | allow servicemanager service_contexts_file:file r_file_perms; |
| 21 | |
| 22 | allow servicemanager vendor_service_contexts_file:file r_file_perms; |
| 23 | |
| 24 | # nonplat_service_contexts only accessible on non full-treble devices |
| 25 | not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;') |
| 26 | |
| 27 | add_service(servicemanager, service_manager_service) |
| 28 | allow servicemanager dumpstate:fd use; |
| 29 | allow servicemanager dumpstate:fifo_file write; |
| 30 | |
| 31 | # Check SELinux permissions. |
| 32 | selinux_check_access(servicemanager) |