binder_use: Allow servicemanager callbacks In order for services registered with LazyServiceRegistrar to dynamically stop, servicemanager needs to be able to call into client processes (to notify them and trigger shutdown). Bug: 143108344 Test: aidl_lazy_test Change-Id: I402d0bcc5e668bf022162c7ce7393d5b77256479

commit: 4b9114a0b5d35da22b55a6927b5a5a78aa9fb572 [log] [tgz]
author: Jon Spivack <spivack@google.com> Tue Nov 26 17:34:29 2019 -0800
committer: Jon Spivack <spivack@google.com> Thu Dec 19 23:07:14 2019 +0000
tree: 9d3286999324118d25b27ce8a90dcedd9dd26371
parent: a0bba66aacc1c65f8e466653b550308759b711db [diff]
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 458a8f1..3bcd761 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te

@@ -38,4 +38,5 @@
     -dumpstate
     -lpdumpd
     -shell
+    -servicemanager
 } lpdumpd:binder call;

diff --git a/public/apexd.te b/public/apexd.te
index 3957ed6..93c257f 100644
--- a/public/apexd.te
+++ b/public/apexd.te

@@ -7,7 +7,7 @@
 set_prop(apexd, apexd_prop)
 
 neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server } apexd:binder call;
+neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
 
 neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
 

diff --git a/public/installd.te b/public/installd.te
index 40b151e..48daff9 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -166,9 +166,9 @@
 ### Neverallow rules
 ###
 
-# only system_server, installd and dumpstate may interact with installd over binder
+# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
 neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
 neverallow installd {
     domain
     -system_server

diff --git a/public/te_macros b/public/te_macros
index 88e71d8..6a8b5bf 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -337,6 +337,8 @@
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
+# Allow servicemanager to send out callbacks
+allow servicemanager $1:binder { call transfer };
 # servicemanager performs getpidcon on clients.
 allow servicemanager $1:dir search;
 allow servicemanager $1:file { read open };
commit	4b9114a0b5d35da22b55a6927b5a5a78aa9fb572	[log] [tgz]
author	Jon Spivack <spivack@google.com>	Tue Nov 26 17:34:29 2019 -0800
committer	Jon Spivack <spivack@google.com>	Thu Dec 19 23:07:14 2019 +0000
tree	9d3286999324118d25b27ce8a90dcedd9dd26371
parent	a0bba66aacc1c65f8e466653b550308759b711db [diff]