From 32d207e042c280a1d230e180dc6d49aba3b0248c Mon Sep 17 00:00:00 2001 From: dcashman Date: Thu, 29 Oct 2015 10:32:14 -0700 Subject: Enable permission checking by binderservicedomain. binderservicedomain services often expose their methods to untrusted clients and rely on permission checks for access control. Allow these services to query the permission service for access decisions. Bug: 25282923 Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b --- binderservicedomain.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/binderservicedomain.te b/binderservicedomain.te index 0bfd33a..36993eb 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) -- cgit v1.2.3