Enable permission checking by binderservicedomain.brillo-m7-release brillo-m7-mr-dev brillo-m7-dev

binderservicedomain services often expose their methods to untrusted clients and rely on permission checks for access control. Allow these services to query the permission service for access decisions. (cherry-pick of commit: 32d207e042c280a1d230e180dc6d49aba3b0248c) Bug: 25282923 Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
author: dcashman <dcashman@google.com> 2015-10-29 10:32:14 -0700
committer: dcashman <dcashman@google.com> 2015-10-29 12:45:37 -0700
commit: 000b69499aa233a7277b828756c01b27a47b17ce (patch)
tree: 32338efe28dad7359470533402b15fce8a0d43b5
parent: 6fc134e3e529e2a79c754593b2ca660cabcd81ed (diff)
download: sepolicy-brillo-m7-mr-dev.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 0bfd33a..36993eb 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms;
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
 
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore(binderservicedomain)
author	dcashman <dcashman@google.com>	2015-10-29 10:32:14 -0700
committer	dcashman <dcashman@google.com>	2015-10-29 12:45:37 -0700
commit	000b69499aa233a7277b828756c01b27a47b17ce (patch)
tree	32338efe28dad7359470533402b15fce8a0d43b5
parent	6fc134e3e529e2a79c754593b2ca660cabcd81ed (diff)
download	sepolicy-brillo-m7-mr-dev.tar.gz