commit 8bb80471b93a080849e30f190c297cbd365c4254
author Todd Kennedy <toddke@google.com> Wed Aug 02 07:27:44 2017 -0700
committer Todd Kennedy <toddke@google.com> Fri Aug 04 13:33:42 2017 -0700
tree b97548bead36976370eba936dd697513f7552c7d
parent 420be61f78ae72f8bca5e33177ec2d6781b4a19a

Allow PackageManager to create a new service

A new API [getNamesForUids] was recently added to the PackageManager
and this API needs to be accessible to native code. However, there
were two constraints:
1) Instead of hand-rolling the binder, we wanted to auto generate
the bindings directly from the AIDL compiler.
2) We didn't want to expose/annotate all 180+ PackageManager APIs
when only a single API is needed.
So, we chose to create a parallel API that can be used explicitly
for native bindings without exposing the entirety of the
PackageManager.

Bug: 62805090
Test: Manual
Test: Create a native application that calls into the new service
Test: See the call works and data and returned
Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41

private/storaged.te

diff --git a/private/storaged.te b/private/storaged.te
index d5abd73..20377e0 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -43,6 +43,9 @@
 # Implements a dumpsys interface.
 allow storaged dumpstate:fd use;
 
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
 dontaudit storaged self:capability dac_override;