1typeattribute servicemanager coredomain; 2 3init_daemon_domain(servicemanager) 4 5read_runtime_log_tags(servicemanager) 6 7set_prop(servicemanager, ctl_interface_start_prop) 8set_prop(servicemanager, servicemanager_prop) 9 10# servicemanager is using bootstrap bionic 11use_bootstrap_libs(servicemanager) 12 13# servicemanager is using apex_info via libvintf 14use_apex_info(servicemanager) 15 16# Note that we do not use the binder_* macros here. 17# servicemanager is unique in that it only provides 18# name service (aka context manager) for Binder. 19# As such, it only ever receives and transfers other references 20# created by other domains. It never passes its own references 21# or initiates a Binder IPC. 22allow servicemanager self:binder set_context_mgr; 23allow servicemanager { 24 domain 25 -init 26 -vendor_init 27 -hwservicemanager 28 -vndservicemanager 29}:binder transfer; 30 31allow servicemanager service_contexts_file:file r_file_perms; 32 33allow servicemanager vendor_service_contexts_file:file r_file_perms; 34 35# nonplat_service_contexts only accessible on non full-treble devices 36not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;') 37 38add_service(servicemanager, service_manager_service) 39allow servicemanager dumpstate:fd use; 40allow servicemanager dumpstate:fifo_file write; 41 42# Check SELinux permissions. 43selinux_check_access(servicemanager) 44 45allow servicemanager kmsg_device:chr_file rw_file_perms; 46 47perfetto_producer(servicemanager) 48 49recovery_only(` 50 # Read VINTF files. 51 r_dir_file(servicemanager, rootfs) 52') 53