From 32d207e042c280a1d230e180dc6d49aba3b0248c Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 29 Oct 2015 10:32:14 -0700
Subject: [PATCH] Enable permission checking by binderservicedomain.

binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control.  Allow these
services to query the permission service for access decisions.

Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
---
 binderservicedomain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/binderservicedomain.te b/binderservicedomain.te
index 0bfd33ae3..36993eb61 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,9 @@ allow binderservicedomain console_device:chr_file rw_file_perms;
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
 
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
 allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore(binderservicedomain)
-- 
GitLab