Implement SELinux access control.
This implements SELinux access control similarly
to framework servicemanager; we lookup labels in
a hwservice_contexts file, then check if the source
context has permissions to do {add, find}
operations on those particular labels. There's also
a generic "list" operation that allows for listing
services.
Note that when trying to "add" an interface, we require
the caller to be allowed to "add" the interface
*AND* all of its parents. This is because the interface
chain is provided by the client, and so can't be trusted
by hwservicemanager.
When trying to "find" an interface, we only check that
you have access to the interface you're asking for.
Bug: 34454312
Test: Marlin boots
Change-Id: Ia1d303e9fd9a4a6c8e7b7cff089a5bfda5023741
diff --git a/ServiceManager.h b/ServiceManager.h
index 0b99a4e..86fffcf 100644
--- a/ServiceManager.h
+++ b/ServiceManager.h
@@ -6,6 +6,7 @@
#include <hidl/MQDescriptor.h>
#include <map>
+#include "AccessControl.h"
#include "HidlService.h"
namespace android {
@@ -91,6 +92,8 @@
std::vector<sp<IServiceNotification>> mPackageListeners{};
};
+ AccessControl mAcl;
+
/**
* Access to this map doesn't need to be locked, since hwservicemanager
* is single-threaded.