binder_use: Allow servicemanager callbacks
In order for services registered with LazyServiceRegistrar to dynamically stop, servicemanager needs to be able to call into client processes (to notify them and trigger shutdown). Bug: 143108344 Test: aidl_lazy_test Change-Id: I402d0bcc5e668bf022162c7ce7393d5b77256479
This commit is contained in:
parent
a0bba66aac
commit
4b9114a0b5
@ -38,4 +38,5 @@ neverallow {
|
||||
-dumpstate
|
||||
-lpdumpd
|
||||
-shell
|
||||
-servicemanager
|
||||
} lpdumpd:binder call;
|
||||
|
@ -7,7 +7,7 @@ add_service(apexd, apex_service)
|
||||
set_prop(apexd, apexd_prop)
|
||||
|
||||
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
|
||||
neverallow { domain -init -apexd -system_server } apexd:binder call;
|
||||
neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
|
||||
|
||||
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
|
||||
|
||||
|
@ -166,9 +166,9 @@ allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
||||
### Neverallow rules
|
||||
###
|
||||
|
||||
# only system_server, installd and dumpstate may interact with installd over binder
|
||||
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
|
||||
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
|
||||
neverallow { domain -system_server -dumpstate } installd:binder call;
|
||||
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
|
||||
neverallow installd {
|
||||
domain
|
||||
-system_server
|
||||
|
@ -337,6 +337,8 @@ allow $1 $3:unix_dgram_socket sendto;
|
||||
define(`binder_use', `
|
||||
# Call the servicemanager and transfer references to it.
|
||||
allow $1 servicemanager:binder { call transfer };
|
||||
# Allow servicemanager to send out callbacks
|
||||
allow servicemanager $1:binder { call transfer };
|
||||
# servicemanager performs getpidcon on clients.
|
||||
allow servicemanager $1:dir search;
|
||||
allow servicemanager $1:file { read open };
|
||||
|
Loading…
Reference in New Issue
Block a user