Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
diff --git a/bluetooth.te b/bluetooth.te
index 4f1ef6e..bc2acef 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
- -network_management_service
- -power_service
-registry_service
-user_service
}:service_manager find;
diff --git a/drmserver.te b/drmserver.te
index 418ce39..d76d3be 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -50,12 +50,6 @@
allow drmserver oemfs:file r_file_perms;
allow drmserver drmserver_service:service_manager { add find };
-allow drmserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
- tmp_system_server_service
- -permission_service
-}:service_manager find;
+allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/mediaserver.te b/mediaserver.te
index 835802e..6497101 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -83,15 +83,15 @@
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
- -permission_service
- -power_service
- -processinfo_service
-scheduling_policy_service
}:service_manager find;
diff --git a/nfc.te b/nfc.te
index 6532c68..e4a4ccb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,8 +30,6 @@
service_manager_local_audit_domain(nfc)
auditallow nfc {
tmp_system_server_service
- -network_management_service
- -power_service
-registry_service
-trust_service
-user_service
diff --git a/platform_app.te b/platform_app.te
index 89b3a66..2943e6c 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -30,6 +30,7 @@
allow platform_app drmserver_service:service_manager find;
allow platform_app mediaserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
@@ -39,9 +40,6 @@
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
- -network_management_service
- -notification_service
- -power_service
-registry_service
-search_service
-sensorservice_service
diff --git a/radio.te b/radio.te
index c14e964..469f1d9 100644
--- a/radio.te
+++ b/radio.te
@@ -41,9 +41,6 @@
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
- -network_management_service
- -notification_service
- -power_service
-registry_service
-trust_service
-user_service
diff --git a/service.te b/service.te
index bbca5e7..fa4d56e 100644
--- a/service.te
+++ b/service.te
@@ -62,16 +62,16 @@
type mount_service, app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, system_server_service, service_manager_type;
type netstats_service, system_api_service, system_server_service, service_manager_type;
-type network_management_service, tmp_system_server_service, service_manager_type;
-type network_score_service, tmp_system_server_service, service_manager_type;
-type notification_service, tmp_system_server_service, service_manager_type;
-type package_service, tmp_system_server_service, service_manager_type;
-type permission_service, tmp_system_server_service, service_manager_type;
-type persistent_data_block_service, tmp_system_server_service, service_manager_type;
-type power_service, tmp_system_server_service, service_manager_type;
-type print_service, tmp_system_server_service, service_manager_type;
-type processinfo_service, tmp_system_server_service, service_manager_type;
-type procstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, system_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_server_service, service_manager_type;
+type power_service, app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, tmp_system_server_service, service_manager_type;
type rttmanager_service, tmp_system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 007be96..c83caf2 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -60,14 +60,14 @@
# media.player service
allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
tmp_system_server_service
- -permission_service
- -power_service
-window_service
}:service_manager find;
diff --git a/system_app.te b/system_app.te
index d518e11..9b4e29a 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,11 +60,6 @@
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
- -network_management_service
- -network_score_service
- -notification_service
- -power_service
- -print_service
-registry_service
-restrictions_service
-sensorservice_service
diff --git a/system_server.te b/system_server.te
index a2cfeba..cb5d5cb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -376,12 +376,6 @@
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
- -network_management_service
- -network_score_service
- -notification_service
- -package_service
- -permission_service
- -power_service
-registry_service
-sensorservice_service
-statusbar_service
diff --git a/untrusted_app.te b/untrusted_app.te
index c1135e8..c94092a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,15 +87,12 @@
# TODO: remove this once priv-apps are no longer running in untrusted_app
allow untrusted_app system_api_service:service_manager find;
+# TODO: remove and replace with specific package that accesses this
+allow untrusted_app persistent_data_block_service:service_manager find;
+
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
- -network_management_service
- -network_score_service
- -notification_service
- -persistent_data_block_service
- -power_service
- -procstats_service
-registry_service
-rttmanager_service
-search_service