Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev

am: f84989e5 Change-Id: I4391c7b44d495efadf39b8f14cfccfe2d966b419

Merge "Assert untrusted apps can't add or list hwservicemanager" into oc-dev
3b130767 · Alex Klyubin · android-build-merger · 90b1abcc · f84989e5 · 3b130767
Commit 3b130767 authored 7 years ago by Alex Klyubin Committed by android-build-merger 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -108,6 +108,10 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 # against privileged system components
 neverallow all_untrusted_apps system_file:file lock;

+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
 # Do not permit access from apps which host arbitrary code to HwBinder services,
 # except those considered sufficiently safe for access from such apps.
 # The two main reasons for this are: