Merge "Allow init to use binder."

commit: b115341dff3ea82081dd457e4173d584c1985ef3 [log] [tgz]
author: Martijn Coenen <maco@google.com> Wed Sep 12 08:39:50 2018 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Sep 12 08:39:50 2018 +0000
tree: 5cea5f172401d3570729efa34f57227ba1fdf5b3
parent: cb09ff080d9f7bafa980b1bc7d90e63f5a27db1e [diff]
parent: a720d3d00ac9ab4218aa4d384ca9e5d69efbf1d3 [diff]
diff --git a/public/domain.te b/public/domain.te
index deccae3..d0c7063 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -397,9 +397,11 @@
 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;
 
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
+# Nobody is allowed to make binder calls into init.
+# Only servicemanager may transfer binder references to init
+# vendor_init shouldn't use binder at all.
+neverallow * init:binder ~{ transfer };
+neverallow { domain -servicemanager } init:binder { transfer };
 neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device

diff --git a/public/init.te b/public/init.te
index d3a3b1f..d062195 100644
--- a/public/init.te
+++ b/public/init.te

@@ -512,6 +512,9 @@
 allow init vold_metadata_file:dir create_dir_perms;
 allow init vold_metadata_file:file getattr;
 
+# Allow init to use binder
+binder_use(init);
+
 ###
 ### neverallow rules
 ###
commit	b115341dff3ea82081dd457e4173d584c1985ef3	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Wed Sep 12 08:39:50 2018 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Sep 12 08:39:50 2018 +0000
tree	5cea5f172401d3570729efa34f57227ba1fdf5b3
parent	cb09ff080d9f7bafa980b1bc7d90e63f5a27db1e [diff]
parent	a720d3d00ac9ab4218aa4d384ca9e5d69efbf1d3 [diff]