2ee66e7d14
We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>
18 lines
625 B
Plaintext
18 lines
625 B
Plaintext
# vndservicemanager - the Binder context manager for vendor processes
|
|
type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
init_daemon_domain(vndservicemanager);
|
|
|
|
allow vndservicemanager self:binder set_context_mgr;
|
|
|
|
# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
|
|
allow vndservicemanager { domain -coredomain -init }:binder transfer;
|
|
|
|
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
|
|
|
|
# Read vndservice_contexts
|
|
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(vndservicemanager)
|