diff --git a/Android.mk b/Android.mk
index bdf26b357829c6282dddb2eb339b836a1fc809dd..1163477a7821409922516e81619d4ec8f1ca6c61 100644
--- a/Android.mk
+++ b/Android.mk
@@ -197,6 +197,26 @@ $(LOCAL_BUILT_MODULE): $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES
built_pc := $(LOCAL_BUILT_MODULE)
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(ALL_SVC_FILES) > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
##################################
##################################
@@ -243,7 +263,7 @@ LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT) > $@
@@ -255,5 +275,6 @@ built_sepolicy :=
built_sc :=
built_fc :=
built_pc :=
+built_svc :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/access_vectors b/access_vectors
index 265587220aaee9893163f77d33c20807c01b4235..7609d9dc01f498ba5806be525f201d9375ba082a 100644
--- a/access_vectors
+++ b/access_vectors
@@ -888,3 +888,8 @@ class property_service
{
set
}
+
+class service_manager
+{
+ add
+}
diff --git a/attributes b/attributes
index 261500ffa3bdba49bcf4b02901cf760db328ee1b..64de61a5ea9487f6951e814a9d4484be4a323cff 100644
--- a/attributes
+++ b/attributes
@@ -39,6 +39,9 @@ attribute port_type;
# All types used for property service
attribute property_type;
+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 757d807748bd8dd9c7a58b8b1478a12fd04dcc9e..db2f93ffa7b60343e57028174c02f52012429862 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -11,3 +11,7 @@ allow binderservicedomain devpts:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;
diff --git a/drmserver.te b/drmserver.te
index e2b62df2ec5bea54dac298d734d31b51ca8d7857..19931766ebe29f59c223cdcb4c7f40258168e29a 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -44,3 +44,5 @@ allow drmserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 97c0ca589b39fa947e5e3388dd613d040a9156d9..08472ccd876a1f4850d1cd5ed10436e435de5676 100644
--- a/healthd.te
+++ b/healthd.te
@@ -32,3 +32,5 @@ allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;
diff --git a/inputflinger.te b/inputflinger.te
index b08b3453b92c3d14f9da0fa966a8daf3a453c934..0bef25eee6b951cd67ba0f99ce21840771c6a125 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,3 +8,5 @@ binder_use(inputflinger)
binder_service(inputflinger)
binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;
diff --git a/keystore.te b/keystore.te
index 8aa1d7d4a3fec69b468d483a42fdc2de80ffd9d2..3e627f8270284a53f93e742d42ce670ecbce50da 100644
--- a/keystore.te
+++ b/keystore.te
@@ -25,3 +25,5 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;
diff --git a/mediaserver.te b/mediaserver.te
index 439315f835416a848d95e6a2d4e40cecc47c5e16..e4d5a23cbdd4be54011b2b512b85d8d1aea6906b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,3 +78,5 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;
diff --git a/nfc.te b/nfc.te
index 0968c3513d135f0596ae06357d79852bb024b28a..65aaef76cbca14b6225259991ca27f9dfc1e88d7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,3 +13,5 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;
diff --git a/radio.te b/radio.te
index d5bf42b192bcaee061fd2c0ab05da52dcdcb5a64..4f1df1ff791ee9a4baa94db348cc054813e5a855 100644
--- a/radio.te
+++ b/radio.te
@@ -22,3 +22,5 @@ allow radio radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;
diff --git a/security_classes b/security_classes
index 197805e3b2b0b8ea4ac94247808d21ceb4ba4188..9ff494fdbc00952b99e33dcb27585363f185896b 100644
--- a/security_classes
+++ b/security_classes
@@ -137,4 +137,7 @@ class zygote
# Property service
class property_service # userspace
+# Service manager
+class service_manager # userspace
+
# FLASK
diff --git a/service.te b/service.te
new file mode 100644
index 0000000000000000000000000000000000000000..650ac139ec2b514d3eb3a7457602d1a3a1561e8e
--- /dev/null
+++ b/service.te
@@ -0,0 +1,10 @@
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type healthd_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
new file mode 100644
index 0000000000000000000000000000000000000000..3720b46b86c16f7ee2a161cfebbbc2fb7157ac3f
--- /dev/null
+++ b/service_contexts
@@ -0,0 +1,96 @@
+accessibility u:object_r:system_server_service:s0
+account u:object_r:system_server_service:s0
+activity u:object_r:system_server_service:s0
+alarm u:object_r:system_server_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+appops u:object_r:system_server_service:s0
+appwidget u:object_r:system_server_service:s0
+assetatlas u:object_r:system_server_service:s0
+audio u:object_r:system_server_service:s0
+backup u:object_r:system_server_service:s0
+batteryproperties u:object_r:healthd_service:s0
+batterystats u:object_r:system_server_service:s0
+battery u:object_r:system_server_service:s0
+bluetooth_manager u:object_r:system_server_service:s0
+clipboard u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+commontime_management u:object_r:system_server_service:s0
+connectivity u:object_r:system_server_service:s0
+consumer_ir u:object_r:system_server_service:s0
+content u:object_r:system_server_service:s0
+country_detector u:object_r:system_server_service:s0
+cpuinfo u:object_r:system_server_service:s0
+dbinfo u:object_r:system_server_service:s0
+device_policy u:object_r:system_server_service:s0
+devicestoragemonitor u:object_r:system_server_service:s0
+diskstats u:object_r:system_server_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:system_server_service:s0
+DockObserver u:object_r:system_server_service:s0
+dreams u:object_r:system_server_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:system_server_service:s0
+entropy u:object_r:system_server_service:s0
+ethernet u:object_r:system_server_service:s0
+gfxinfo u:object_r:system_server_service:s0
+hardware u:object_r:system_server_service:s0
+hdmi_control u:object_r:system_server_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:system_server_service:s0
+input u:object_r:system_server_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+launcherapps u:object_r:system_server_service:s0
+location u:object_r:system_server_service:s0
+lock_settings u:object_r:system_server_service:s0
+media.audio_flinger u:object_r:mediaserver_service:s0
+media.audio_policy u:object_r:mediaserver_service:s0
+media.camera u:object_r:mediaserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media_router u:object_r:system_server_service:s0
+media_session u:object_r:system_server_service:s0
+meminfo u:object_r:system_server_service:s0
+mount u:object_r:system_server_service:s0
+netpolicy u:object_r:system_server_service:s0
+netstats u:object_r:system_server_service:s0
+network_management u:object_r:system_server_service:s0
+network_score u:object_r:system_server_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:system_server_service:s0
+package u:object_r:system_server_service:s0
+permission u:object_r:system_server_service:s0
+phone u:object_r:radio_service:s0
+power u:object_r:system_server_service:s0
+print u:object_r:system_server_service:s0
+procstats u:object_r:system_server_service:s0
+restrictions u:object_r:system_server_service:s0
+samplingprofiler u:object_r:system_server_service:s0
+scheduling_policy u:object_r:system_server_service:s0
+search u:object_r:system_server_service:s0
+sensorservice u:object_r:system_server_service:s0
+serial u:object_r:system_server_service:s0
+servicediscovery u:object_r:system_server_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+statusbar u:object_r:system_server_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:system_server_service:s0
+telecomm u:object_r:radio_service:s0
+telephony.registry u:object_r:system_server_service:s0
+textservices u:object_r:system_server_service:s0
+trust u:object_r:system_server_service:s0
+tv_input u:object_r:system_server_service:s0
+uimode u:object_r:system_server_service:s0
+updatelock u:object_r:system_server_service:s0
+usagestats u:object_r:system_server_service:s0
+usb u:object_r:system_server_service:s0
+user u:object_r:system_server_service:s0
+vibrator u:object_r:system_server_service:s0
+voiceinteraction u:object_r:system_server_service:s0
+wallpaper u:object_r:system_server_service:s0
+wifip2p u:object_r:system_server_service:s0
+wifiscanner u:object_r:system_server_service:s0
+wifi u:object_r:system_server_service:s0
+window u:object_r:system_server_service:s0
+
+* u:object_r:default_android_service:s0
diff --git a/servicemanager.te b/servicemanager.te
index a78a485bb4273f2a099ddca232fcab1912bec428..f3dbca8f105c5ce6cab041ffa949d59c326f75b3 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@ init_daemon_domain(servicemanager)
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 6a40bfcbcce6bd17d6067fb0532ef9f8ddb98ccc..c5086120996b0ab444c463c4e5f8ab115f907600 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,6 +57,8 @@ r_dir_file(surfaceflinger, dumpstate)
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+allow surfaceflinger surfaceflinger_service:service_manager add;
+
###
### Neverallow rules
###
diff --git a/system_server.te b/system_server.te
index aa4d6c403390bdd8059391f19ca521d36844f8c8..11a1ebec6936cb3018dfe89f0a0061369d84b49a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -350,6 +350,8 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
+allow system_server system_server_service:service_manager add;
+
###
### Neverallow rules
###