| ThiƩbaud Weksteen | 5e9b88f | 2023-08-28 12:22:17 +1000 | [diff] [blame] | 1 | # Rules common to some specific binder service domains. |
| 2 | # Deprecated. Consider granting the exact permissions required by your service. |
| Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 3 | |
| Joe Onorato | 41f93db | 2016-11-20 23:23:04 -0800 | [diff] [blame] | 4 | # Allow dumpstate and incidentd to collect information from binder services |
| 5 | allow binderservicedomain { dumpstate incidentd }:fd use; |
| 6 | allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; |
| 7 | allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; |
| Nick Kralevich | 2e7a301 | 2014-01-10 23:05:25 -0800 | [diff] [blame] | 8 | allow binderservicedomain shell_data_file:file { getattr write }; |
| Nick Kralevich | 5153890 | 2013-12-19 18:18:32 -0800 | [diff] [blame] | 9 | |
| Nick Kralevich | 67d1f1e | 2014-06-20 18:25:52 -0700 | [diff] [blame] | 10 | # Allow dumpsys to work from adb shell or the serial console |
| Nick Kralevich | 5153890 | 2013-12-19 18:18:32 -0800 | [diff] [blame] | 11 | allow binderservicedomain devpts:chr_file rw_file_perms; |
| Nick Kralevich | 67d1f1e | 2014-06-20 18:25:52 -0700 | [diff] [blame] | 12 | allow binderservicedomain console_device:chr_file rw_file_perms; |
| Stephen Smalley | 644279b | 2014-03-21 10:24:04 -0400 | [diff] [blame] | 13 | |
| 14 | # Receive and write to a pipe received over Binder from an app. |
| 15 | allow binderservicedomain appdomain:fd use; |
| 16 | allow binderservicedomain appdomain:fifo_file write; |
| Riley Spahn | f90c41f | 2014-06-05 15:52:02 -0700 | [diff] [blame] | 17 | |
| dcashman | 32d207e | 2015-10-29 10:32:14 -0700 | [diff] [blame] | 18 | # allow all services to run permission checks |
| 19 | allow binderservicedomain permission_service:service_manager find; |
| 20 | |
| Janis Danisevskis | 144c822 | 2020-09-24 08:55:28 -0700 | [diff] [blame] | 21 | allow binderservicedomain keystore:keystore2_key { delete get_info rebind use }; |
| Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 22 | |
| 23 | use_keystore(binderservicedomain) |
| Rob Seymour | ecbadbb | 2022-07-28 16:23:42 +0000 | [diff] [blame] | 24 | # binderservicedomain is using apex_info via libvintf |
| 25 | use_apex_info(binderservicedomain) |