Add access control for each service_manager action.

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

1 files changed, 11 insertions, 0 deletions

diff --git a/untrusted_app.te b/untrusted_app.te
index f29149e..346716a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,6 +64,17 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
 
+# Audited locally.
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+    service_manager_type
+    -drmserver_service
+    -mediaserver_service
+    -nfc_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### neverallow rules
 ###