am f2c4e128: neverallow service_manager / service_manager_type

* commit 'f2c4e128': neverallow service_manager / service_manager_type

am f2c4e128: neverallow service_manager / service_manager_type
137e07f1 · Nick Kralevich · Android Git Automerger · 7a23c276 · f2c4e128 · 137e07f1
Commit 137e07f1 authored 9 years ago by Nick Kralevich Committed by Android Git Automerger 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -493,3 +493,9 @@ neverallow {
  userdebug_or_eng(`-uncrypt')
  -installd
 } shell_data_file:lnk_file read;
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@ neverallow init app_data_file:lnk_file read;
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;