am 137e07f1: am f2c4e128: neverallow service_manager / service_manager_type

* commit '137e07f1': neverallow service_manager / service_manager_type

am 137e07f1: am f2c4e128: neverallow service_manager / service_manager_type
01ec72ec · Nick Kralevich · Android Git Automerger · 01c80f2c · 137e07f1 · 01ec72ec
Commit 01ec72ec authored 9 years ago by Nick Kralevich Committed by Android Git Automerger 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -493,3 +493,9 @@ neverallow {
  userdebug_or_eng(`-uncrypt')
  -installd
 } shell_data_file:lnk_file read;
+
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@ neverallow init app_data_file:lnk_file read;

 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;