| # servicemanager - the Binder context manager |
| type servicemanager, domain; |
| type servicemanager_exec, exec_type, file_type; |
| |
| init_daemon_domain(servicemanager) |
| |
| # Note that we do not use the binder_* macros here. |
| # servicemanager is unique in that it only provides |
| # name service (aka context manager) for Binder. |
| # As such, it only ever receives and transfers other references |
| # created by other domains. It never passes its own references |
| # or initiates a Binder IPC. |
| allow servicemanager self:binder set_context_mgr; |
| allow servicemanager domain:binder transfer; |
| |
| # Get contexts of binder services that call servicemanager. |
| allow servicemanager binderservicedomain:dir search; |
| allow servicemanager binderservicedomain:file { read open }; |
| allow servicemanager binderservicedomain:process getattr; |
| # Check SELinux permissions. |
| selinux_check_access(servicemanager) |