diff options
| -rw-r--r-- | binderservicedomain.te | 3 | ||||
| -rw-r--r-- | bluetooth.te | 2 | ||||
| -rw-r--r-- | untrusted_app.te | 1 |
3 files changed, 5 insertions, 1 deletions
diff --git a/binderservicedomain.te b/binderservicedomain.te index 0bfd33a..36993eb 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; +# allow all services to run permission checks +allow binderservicedomain permission_service:service_manager find; + allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) diff --git a/bluetooth.te b/bluetooth.te index a79023d..f77bd0d 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -70,4 +70,4 @@ allow bluetooth shell_data_file:file read; # Superuser capabilities. # bluetooth requires net_admin and wake_alarm. neverallow bluetooth self:capability ~net_admin; -neverallow bluetooth self:capability2 ~wake_alarm; +neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend }; diff --git a/untrusted_app.te b/untrusted_app.te index 2aa1495..fb76317 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -84,6 +84,7 @@ allow untrusted_app cache_file:file create_file_perms; allow untrusted_app servicemanager:service_manager list; allow untrusted_app drmserver_service:service_manager find; +allow untrusted_app healthd_service:service_manager find; allow untrusted_app mediaserver_service:service_manager find; allow untrusted_app nfc_service:service_manager find; allow untrusted_app radio_service:service_manager find; |