1# servicemanager - the Binder context manager 2type servicemanager, domain, mlstrustedsubject; 3type servicemanager_exec, exec_type, file_type; 4 5# Note that we do not use the binder_* macros here. 6# servicemanager is unique in that it only provides 7# name service (aka context manager) for Binder. 8# As such, it only ever receives and transfers other references 9# created by other domains. It never passes its own references 10# or initiates a Binder IPC. 11allow servicemanager self:binder set_context_mgr; 12allow servicemanager { 13 domain 14 -init 15 -hwservicemanager 16 -vndservicemanager 17}:binder transfer; 18 19# Access to all (system and vendor) service_contexts 20# TODO(b/36866029) access to nonplat_service_contexts 21# should not be allowed on full treble devices 22allow servicemanager service_contexts_file:file r_file_perms; 23 24# Check SELinux permissions. 25selinux_check_access(servicemanager) 26