commit cba70be751dee6482f3cedc8b6f9e34195c59167
author Martijn Coenen <maco@google.com> Tue Mar 21 16:01:52 2017 -0700
committer Martijn Coenen <maco@google.com> Wed Mar 22 12:53:13 2017 -0700
tree f70cc9d0b57b17520c3ebdff18b8e7bc1074e647
parent 529a9f43380d5c72aca471b6f16d42b9d348750e

Initial sepolicy for vndservicemanager.

vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387

vendor/file_contexts

diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2c24d5f..6e6ea37 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -30,7 +30,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
-
+/(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 #############################
 # Data files
 #

vendor/vndservicemanager.te

diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000..9357042
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)