xref: /aosp_15_r20/system/sepolicy/prebuilts/api/30.0/public/servicemanager.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

# servicemanager - the Binder context manager
type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, system_file_type, exec_type, file_type;

# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains.  It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager {
  domain
  -init
  -vendor_init
  -hwservicemanager
  -vndservicemanager
}:binder transfer;

allow servicemanager service_contexts_file:file r_file_perms;

allow servicemanager vendor_service_contexts_file:file r_file_perms;

# nonplat_service_contexts only accessible on non full-treble devices
not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')

add_service(servicemanager, service_manager_service)
allow servicemanager dumpstate:fd use;
allow servicemanager dumpstate:fifo_file write;

# Check SELinux permissions.
selinux_check_access(servicemanager)