| Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 1 | # Rules common to all binder service domains |
| 2 | |
| Nick Kralevich | 5153890 | 2013-12-19 18:18:32 -0800 | [diff] [blame] | 3 | # Allow dumpstate to collect information from binder services |
| Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 4 | allow binderservicedomain dumpstate:fd use; |
| 5 | allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr }; |
| Nick Kralevich | 2e7a301 | 2014-01-10 23:05:25 -0800 | [diff] [blame] | 6 | allow binderservicedomain shell_data_file:file { getattr write }; |
| Nick Kralevich | 5153890 | 2013-12-19 18:18:32 -0800 | [diff] [blame] | 7 | |
| Nick Kralevich | 67d1f1e | 2014-06-20 18:25:52 -0700 | [diff] [blame] | 8 | # Allow dumpsys to work from adb shell or the serial console |
| Nick Kralevich | 5153890 | 2013-12-19 18:18:32 -0800 | [diff] [blame] | 9 | allow binderservicedomain devpts:chr_file rw_file_perms; |
| Nick Kralevich | 67d1f1e | 2014-06-20 18:25:52 -0700 | [diff] [blame] | 10 | allow binderservicedomain console_device:chr_file rw_file_perms; |
| Stephen Smalley | 644279b | 2014-03-21 10:24:04 -0400 | [diff] [blame] | 11 | |
| 12 | # Receive and write to a pipe received over Binder from an app. |
| 13 | allow binderservicedomain appdomain:fd use; |
| 14 | allow binderservicedomain appdomain:fifo_file write; |
| Riley Spahn | f90c41f | 2014-06-05 15:52:02 -0700 | [diff] [blame] | 15 | |
| dcashman | 9acda2f | 2015-10-29 10:32:14 -0700 | [diff] [blame] | 16 | # allow all services to run permission checks |
| 17 | allow binderservicedomain permission_service:service_manager find; |
| 18 | |
| Chad Brubaker | eaa1a1e | 2015-05-13 14:39:48 -0700 | [diff] [blame] | 19 | allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; |
| Riley Spahn | 1196d2a | 2014-06-17 14:58:52 -0700 | [diff] [blame] | 20 | |
| 21 | use_keystore(binderservicedomain) |