1*e4a36f41SAndroid Build Coastguard Worker# Rules common to all binder service domains 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Worker# Allow dumpstate and incidentd to collect information from binder services 4*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain { dumpstate incidentd }:fd use; 5*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr }; 6*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write }; 7*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain shell_data_file:file { getattr write }; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Allow dumpsys to work from adb shell or the serial console 10*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain devpts:chr_file rw_file_perms; 11*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain console_device:chr_file rw_file_perms; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Receive and write to a pipe received over Binder from an app. 14*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain appdomain:fd use; 15*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain appdomain:fifo_file write; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# allow all services to run permission checks 18*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain permission_service:service_manager find; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Workerallow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Workeruse_keystore(binderservicedomain) 23