Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6570d6d3c7c197b9c484ecbbc280a199ca964f21 / . / private / permissioncontroller_app.te
blob: 0fa2dea20f0826518378c42e0c06269524cf36b9 [file] [log] [blame]
Ashwini Oruganti9bc81122019-10-21 15:28:00 -0700[diff] [blame]1###
2### A domain for further sandboxing the GooglePermissionController app.
3###
Ashwini Oruganti50641892019-11-21 12:26:08 -0800[diff] [blame]4type permissioncontroller_app, domain, coredomain;
Ashwini Oruganti9bc81122019-10-21 15:28:00 -0700[diff] [blame]5
Ashwini Oruganti6f795f32019-11-20 14:40:40 -0800[diff] [blame]6# Allow everything.
7# TODO(b/142672293): remove when no selinux denials are triggered for this
8# domain
9# STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around
10# `permissioncontroller_app` and remove this line once we are confident about
11# this having the right set of permissions.
12userdebug_or_eng(`permissive permissioncontroller_app;')
13
Ashwini Oruganti9bc81122019-10-21 15:28:00 -0700[diff] [blame]14app_domain(permissioncontroller_app)
15
16# Allow interaction with gpuservice
17binder_call(permissioncontroller_app, gpuservice)
18allow permissioncontroller_app gpu_service:service_manager find;
19
20# Allow interaction with role_service
21allow permissioncontroller_app role_service:service_manager find;
22
23# Allow interaction with usagestats_service
24allow permissioncontroller_app usagestats_service:service_manager find;
25
26# Allow interaction with activity_service
27allow permissioncontroller_app activity_service:service_manager find;
Ashwini Orugantic557ca62019-11-04 16:03:54 -0800[diff] [blame]28
29allow permissioncontroller_app activity_task_service:service_manager find;
30allow permissioncontroller_app audio_service:service_manager find;
31allow permissioncontroller_app autofill_service:service_manager find;
Ashwini Oruganti50641892019-11-21 12:26:08 -0800[diff] [blame]32allow permissioncontroller_app content_capture_service:service_manager find;
Ashwini Orugantic557ca62019-11-04 16:03:54 -0800[diff] [blame]33allow permissioncontroller_app device_policy_service:service_manager find;
Ashwini Oruganti50641892019-11-21 12:26:08 -0800[diff] [blame]34allow permissioncontroller_app incidentcompanion_service:service_manager find;
Ashwini Oruganti6570d6d2019-12-26 15:34:00 -0800[diff] [blame^]35allow permissioncontroller_app IProxyService_service:service_manager find;
Ashwini Orugantic557ca62019-11-04 16:03:54 -0800[diff] [blame]36allow permissioncontroller_app location_service:service_manager find;
Ashwini Oruganti50641892019-11-21 12:26:08 -0800[diff] [blame]37allow permissioncontroller_app media_session_service:service_manager find;
Ashwini Orugantic557ca62019-11-04 16:03:54 -0800[diff] [blame]38allow permissioncontroller_app surfaceflinger_service:service_manager find;
Ashwini Oruganti50641892019-11-21 12:26:08 -0800[diff] [blame]39allow permissioncontroller_app telecom_service:service_manager find;
Ashwini Orugantic557ca62019-11-04 16:03:54 -0800[diff] [blame]40allow permissioncontroller_app trust_service:service_manager find;
Ashwini Oruganti73e12292019-12-09 15:37:05 -0800[diff] [blame]41
42# Allow the app to request and collect incident reports.
43# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
44allow permissioncontroller_app incident_service:service_manager find;
45binder_call(permissioncontroller_app, incidentd)
46allow permissioncontroller_app incidentd:fifo_file { read write };