Add SELinux rules for service_manager.

Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d

1 files changed, 7 insertions, 0 deletions

diff --git a/servicemanager.te b/servicemanager.te
index a78a485..f3dbca8 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@ init_daemon_domain(servicemanager)
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)