Add SELinux policies for example service.
Add selinux policies for the brillo_example_service which is started by
init. The brillo_example_client has to be started manually as root.
Otherwise, the oneway callback from the service to the client fails.
BUG=26405163
TEST=manual test with the out of tree flow
Change-Id: I08af4f08f16dcaa36abdb441bb72d140ddf8c351
diff --git a/service_example/Android.mk b/service_example/Android.mk
index 007133c..31165a9 100644
--- a/service_example/Android.mk
+++ b/service_example/Android.mk
@@ -29,7 +29,9 @@
libbrillo-binder \
libchrome \
libutils
-LOCAL_INIT_RC := example_service.rc
+# Uncomment the following line to have this service started automatically on
+# boot by init.
+#LOCAL_INIT_RC := example_service.rc
include $(BUILD_EXECUTABLE)
include $(CLEAR_VARS)
diff --git a/service_example/README.md b/service_example/README.md
index 16ef39a..47838d6 100644
--- a/service_example/README.md
+++ b/service_example/README.md
@@ -45,7 +45,8 @@
adb shell
- and then start the example service in the background
+ and then start the example service in the background (not required if the
+ service is started by init)
brillo_example_service &
@@ -53,7 +54,7 @@
adb logcat
-4. In the first terminal, start the example client.
+4. In the first terminal, start the example client as root.
brillo_example_client
diff --git a/service_example/sepolicy/brillo_example_service.te b/service_example/sepolicy/brillo_example_service.te
new file mode 100644
index 0000000..9586a40
--- /dev/null
+++ b/service_example/sepolicy/brillo_example_service.te
@@ -0,0 +1,12 @@
+# Domain for the Brillo example service.
+type brillo_example_service, domain;
+type brillo_example_service_exec, exec_type, file_type;
+
+# Allow domain transition from init, and access to D-Bus and Binder.
+brillo_domain(brillo_example_service)
+
+# Allow the example service to add itself to service_manager.
+allow brillo_example_service brilloexampleservice:service_manager add;
+
+# Allow crash_reporter access to core dump files.
+allow_crash_reporter(brillo_example_service)
diff --git a/service_example/sepolicy/file_contexts b/service_example/sepolicy/file_contexts
new file mode 100644
index 0000000..017e759
--- /dev/null
+++ b/service_example/sepolicy/file_contexts
@@ -0,0 +1,3 @@
+# Associate the example service's executable with the domain defined in
+# brillo_example_service.te.
+/system/bin/brillo_example_service u:object_r:brillo_example_service_exec:s0
diff --git a/service_example/sepolicy/service.te b/service_example/sepolicy/service.te
new file mode 100644
index 0000000..6544432
--- /dev/null
+++ b/service_example/sepolicy/service.te
@@ -0,0 +1,2 @@
+# Add a context for the Brillo example service.
+type brilloexampleservice, service_manager_type;
diff --git a/service_example/sepolicy/service_contexts b/service_example/sepolicy/service_contexts
new file mode 100644
index 0000000..d78561e
--- /dev/null
+++ b/service_example/sepolicy/service_contexts
@@ -0,0 +1,3 @@
+# Associate the Brillo example service's name (as defined when it is added to
+# the service manager) with a context.
+android.brillo.example.ExampleService u:object_r:brilloexampleservice:s0
