diff options
author | dcashman <dcashman@google.com> | 2015-10-29 10:32:14 -0700 |
---|---|---|
committer | The Android Automerger <android-build@google.com> | 2015-10-29 19:24:22 -0700 |
commit | 9acda2f3805c426c18af62b98aac614f69f97864 (patch) | |
tree | a8254311c9e3e837336911a12d0b523dff2cbd9b | |
parent | 6ab438dc8b4c8b661c8209ecfb66b626b8bdc532 (diff) | |
download | sepolicy-9acda2f3805c426c18af62b98aac614f69f97864.tar.gz |
Enable permission checking by binderservicedomain.android-6.0.1_r9android-6.0.1_r8android-6.0.1_r7android-6.0.1_r3android-6.0.1_r17android-6.0.1_r13android-6.0.1_r12android-6.0.1_r11android-6.0.1_r10android-6.0.1_r1android-6.0.0_r41
binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control. Allow these
services to query the permission service for access decisions.
Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
-rw-r--r-- | binderservicedomain.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te index 0bfd33a..36993eb 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) |