diff options
author | dcashman <dcashman@google.com> | 2015-10-29 10:32:14 -0700 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2015-10-29 12:45:37 -0700 |
commit | 000b69499aa233a7277b828756c01b27a47b17ce (patch) | |
tree | 32338efe28dad7359470533402b15fce8a0d43b5 | |
parent | 6fc134e3e529e2a79c754593b2ca660cabcd81ed (diff) | |
download | sepolicy-brillo-m7-mr-dev.tar.gz |
Enable permission checking by binderservicedomain.brillo-m7-releasebrillo-m7-mr-devbrillo-m7-dev
binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control. Allow these
services to query the permission service for access decisions.
(cherry-pick of commit: 32d207e042c280a1d230e180dc6d49aba3b0248c)
Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
-rw-r--r-- | binderservicedomain.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te index 0bfd33a..36993eb 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) |