From 76f3fe33d7b1a42b0a3f356be5522e9cc014687e Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 5 Dec 2014 14:30:30 -0800
Subject: [PATCH]  Add neverallow rule for set_context_mgr.

Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb
---
 domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/domain.te b/domain.te
index 6cf7be34b..243c992f3 100644
--- a/domain.te
+++ b/domain.te
@@ -329,3 +329,6 @@ neverallow { domain -recovery } system_block_device:blk_file write;
 
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+
+# Only servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager } *:binder set_context_mgr;
-- 
GitLab