Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev am: f84989e5

am: 3b130767 Change-Id: Ia3b0df9ebc90548e75ee0d416ae15360feb3cd41

Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev am: f84989e5
35836f5e · Alex Klyubin · android-build-merger · 1928c5ea · 3b130767 · 35836f5e
Commit 35836f5e authored 7 years ago by Alex Klyubin Committed by android-build-merger 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -108,6 +108,10 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 # against privileged system components
 neverallow all_untrusted_apps system_file:file lock;

+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
 # Do not permit access from apps which host arbitrary code to HwBinder services,
 # except those considered sufficiently safe for access from such apps.
 # The two main reasons for this are: