Add SELinux policy for webservd over binder
Change-Id: I8690d7a43c1f89038ff857911c2c440429faa267
Test: Verified webservd functionality
Bug: 27204884
diff --git a/sepolicy/service.te b/sepolicy/service.te
index cfa7d39..dc71a51 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -4,3 +4,4 @@
type trunks_service, service_manager_type;
type weave_service, service_manager_type;
type brilloaudioservice, service_manager_type;
+type webservd_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 135ab68..4359393 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -5,3 +5,4 @@
android.brillo.UpdateEngineService u:object_r:update_engine_service:s0
weave_service u:object_r:weave_service:s0
android.brillo.brilloaudioservice.BrilloAudioService u:object_r:brilloaudioservice:s0
+android.webservd.Server u:object_r:webservd_service:s0
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
index ccf9568..d1265d8 100644
--- a/sepolicy/te_macros
+++ b/sepolicy/te_macros
@@ -85,3 +85,12 @@
binder_call($1, update_engine)
binder_call(update_engine, $1)
')
+
+#####################################
+# allow_call_webservd(domain)
+# Allow a domain and webservd to communicate with each other over binder.
+define(`allow_call_webservd', `
+allow $1 webservd_service:service_manager find;
+binder_call($1, webservd)
+binder_call(webservd, $1)
+')
diff --git a/sepolicy/webservd.te b/sepolicy/webservd.te
index 4774413..c1a3055 100644
--- a/sepolicy/webservd.te
+++ b/sepolicy/webservd.te
@@ -17,3 +17,4 @@
allow webservd self:capability { net_bind_service };
allow webservd webservd_data_file:dir rw_dir_perms;
allow webservd webservd_data_file:file create_file_perms;
+allow webservd webservd_service:service_manager { add find };
