| Ashwini Oruganti | 9bc8112 | 2019-10-21 15:28:00 -0700 | [diff] [blame] | 1 | ### |
| 2 | ### A domain for further sandboxing the GooglePermissionController app. |
| 3 | ### |
| 4 | type permissioncontroller_app, domain; |
| 5 | |
| 6 | # Allow everything. |
| 7 | # TODO(b/142672293): remove when no selinux denials are triggered for this |
| 8 | # domain |
| 9 | # STOPSHIP(b/142672293): monitor http://go/sedenials for any denials around |
| 10 | # `permissioncontroller_app` and remove this line once we are confident about |
| 11 | # this having the right set of permissions. |
| 12 | userdebug_or_eng(`permissive permissioncontroller_app;') |
| 13 | |
| 14 | app_domain(permissioncontroller_app) |
| 15 | |
| 16 | # Allow interaction with gpuservice |
| 17 | binder_call(permissioncontroller_app, gpuservice) |
| 18 | allow permissioncontroller_app gpu_service:service_manager find; |
| 19 | |
| 20 | # Allow interaction with role_service |
| 21 | allow permissioncontroller_app role_service:service_manager find; |
| 22 | |
| 23 | # Allow interaction with usagestats_service |
| 24 | allow permissioncontroller_app usagestats_service:service_manager find; |
| 25 | |
| 26 | # Allow interaction with activity_service |
| 27 | allow permissioncontroller_app activity_service:service_manager find; |