1 # Rules common to all binder service domains 2 3 # Allow dumpstate and incidentd to collect information from binder services 4 allow binderservicedomain { dumpstate incidentd }:fd use; 5 allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; 6 allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; 7 allow binderservicedomain shell_data_file:file { getattr write }; 8 9 # Allow dumpsys to work from adb shell or the serial console 10 allow binderservicedomain devpts:chr_file rw_file_perms; 11 allow binderservicedomain console_device:chr_file rw_file_perms; 12 13 # Receive and write to a pipe received over Binder from an app. 14 allow binderservicedomain appdomain:fd use; 15 allow binderservicedomain appdomain:fifo_file write; 16 17 # allow all services to run permission checks 18 allow binderservicedomain permission_service:service_manager find; 19 20 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; 21 22 use_keystore(binderservicedomain) 23
