android_system_sepolicy/vendor/vndservicemanager.te

# vndservicemanager - the Binder context manager for vendor processes
type vndservicemanager_exec, exec_type, file_type;

init_daemon_domain(vndservicemanager);

allow vndservicemanager self:binder set_context_mgr;

# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
allow vndservicemanager { domain -coredomain -init }:binder transfer;

allow vndservicemanager vndbinder_device:chr_file rw_file_perms;

# Check SELinux permissions.
selinux_check_access(vndservicemanager)
Initial sepolicy for vndservicemanager. vndservicemanager is the context manager for binder services that are solely registered and accessed from vendor processes. Bug: 36052864 Test: vendorservicemanager runs Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387 Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff 2017-03-21 16:01:52 -07:00			`# vndservicemanager - the Binder context manager for vendor processes`
			`type vndservicemanager_exec, exec_type, file_type;`

			`init_daemon_domain(vndservicemanager);`

			`allow vndservicemanager self:binder set_context_mgr;`

			`# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)`
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 14:27:32 -07:00			`allow vndservicemanager { domain -coredomain -init }:binder transfer;`
Initial sepolicy for vndservicemanager. vndservicemanager is the context manager for binder services that are solely registered and accessed from vendor processes. Bug: 36052864 Test: vendorservicemanager runs Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387 Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff 2017-03-21 16:01:52 -07:00
			`allow vndservicemanager vndbinder_device:chr_file rw_file_perms;`

			`# Check SELinux permissions.`
			`selinux_check_access(vndservicemanager)`