private/servicemanager.te

typeattribute servicemanager coredomain;

init_daemon_domain(servicemanager)

read_runtime_log_tags(servicemanager)

set_prop(servicemanager, ctl_interface_start_prop)
set_prop(servicemanager, servicemanager_prop)

# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)

# servicemanager is using apex_info via libvintf
use_apex_info(servicemanager)

# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains.  It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager {
  domain
  -init
  -vendor_init
  -hwservicemanager
  -vndservicemanager
}:binder transfer;

allow servicemanager service_contexts_file:file r_file_perms;

allow servicemanager vendor_service_contexts_file:file r_file_perms;

# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;')

add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
allow servicemanager dumpstate:fifo_file write;

# Check SELinux permissions.
selinux_check_access(servicemanager)

allow servicemanager kmsg_device:chr_file rw_file_perms;

recovery_only(`
  # Read VINTF files.
  r_dir_file(servicemanager, rootfs)
')