1 # servicemanager - the Binder context manager 2 type servicemanager, domain, mlstrustedsubject; 3 type servicemanager_exec, exec_type, file_type; 4 5 # Note that we do not use the binder_* macros here. 6 # servicemanager is unique in that it only provides 7 # name service (aka context manager) for Binder. 8 # As such, it only ever receives and transfers other references 9 # created by other domains. It never passes its own references 10 # or initiates a Binder IPC. 11 allow servicemanager self:binder set_context_mgr; 12 allow servicemanager { 13 domain 14 -init 15 -hwservicemanager 16 -vndservicemanager 17 }:binder transfer; 18 19 allow servicemanager service_contexts_file:file r_file_perms; 20 # nonplat_service_contexts only accessible on non full-treble devices 21 not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;') 22 23 # Check SELinux permissions. 24 selinux_check_access(servicemanager) 25
