Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
diff --git a/drmserver.te b/drmserver.te
index 482c218..e52d679 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -53,4 +53,10 @@
allow drmserver system_server_service:service_manager find;
allow drmserver tmp_system_server_service:service_manager find;
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver {
+ tmp_system_server_service
+ -permission_service
+}:service_manager find;
+
selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 320b19f..cb38e0b 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -104,20 +104,8 @@
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
-allow dumpstate {
- drmserver_service
- healthd_service
- inputflinger_service
- keystore_service
- mediaserver_service
- nfc_service
- radio_service
- surfaceflinger_service
- system_app_service
- system_server_service
- tmp_system_server_service
-}:service_manager find;
-
+allow dumpstate service_manager_type:service_manager find;
allow dumpstate servicemanager:service_manager list;
+service_manager_local_audit_domain(dumpstate)
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/mediaserver.te b/mediaserver.te
index ec69aed..a8bc55f 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -84,15 +84,10 @@
allow mediaserver surfaceflinger_service:service_manager find;
allow mediaserver tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
+ -appops_service
-batterystats_service
-permission_service
-power_service
diff --git a/nfc.te b/nfc.te
index e825b1b..00826bb 100644
--- a/nfc.te
+++ b/nfc.te
@@ -25,3 +25,22 @@
allow nfc surfaceflinger_service:service_manager find;
allow nfc system_server_service:service_manager find;
allow nfc tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+ tmp_system_server_service
+ -accessibility_service
+ -activity_service
+ -appops_service
+ -batterystats_service
+ -bluetooth_manager_service
+ -connectivity_service
+ -content_service
+ -display_service
+ -dropbox_service
+ -network_management_service
+ -power_service
+ -trust_service
+ -user_service
+ -vibrator_service
+}:service_manager find;
\ No newline at end of file
diff --git a/platform_app.te b/platform_app.te
index 61cc757..378d455 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,6 +39,7 @@
auditallow platform_app {
tmp_system_server_service
-accessibility_service
+ -account_service
-activity_service
-appops_service
-appwidget_service
diff --git a/radio.te b/radio.te
index a6aec28..b5ff4a7 100644
--- a/radio.te
+++ b/radio.te
@@ -42,11 +42,17 @@
tmp_system_server_service
-activity_service
-appops_service
+ -bluetooth_manager_service
-connectivity_service
-content_service
-display_service
-dropbox_service
+ -netstats_service
-network_management_service
+ -notification_service
-power_service
-registry_service
+ -trust_service
+ -user_service
+ -wifi_service
}:service_manager find;
diff --git a/shared_relro.te b/shared_relro.te
index c444382..1a7e2d0 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -12,3 +12,9 @@
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro system_server_service:service_manager find;
allow shared_relro tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(shared_relro)
+auditallow shared_relro {
+ tmp_system_server_service
+ -webviewupdate_service
+}:service_manager find;
diff --git a/shell.te b/shell.te
index d31a496..8cfe9ac 100644
--- a/shell.te
+++ b/shell.te
@@ -60,6 +60,7 @@
# allow shell access to services
allow shell servicemanager:service_manager list;
allow shell service_manager_type:service_manager find;
+service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr };
diff --git a/system_app.te b/system_app.te
index ea936aa..d3c7bdd 100644
--- a/system_app.te
+++ b/system_app.te
@@ -62,11 +62,32 @@
-accessibility_service
-activity_service
-appops_service
+ -appwidget_service
+ -assetatlas_service
+ -audio_service
+ -backup_service
+ -bluetooth_manager_service
-connectivity_service
+ -content_service
+ -device_policy_service
-display_service
+ -dreams_service
-dropbox_service
+ -input_method_service
+ -input_service
+ -lock_settings_service
+ -mount_service
-network_management_service
+ -notification_service
+ -power_service
+ -print_service
+ -registry_service
+ -sensorservice_service
+ -usagestats_service
+ -usb_service
-user_service
+ -vibrator_service
+ -wifi_service
}:service_manager find;
allow system_app keystore:keystore_key {
diff --git a/system_server.te b/system_server.te
index ae9ada2..191c446 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,9 +364,11 @@
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
+allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
+allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
@@ -376,9 +378,11 @@
allow system_server service_manager_type:service_manager find;
auditallow system_server {
service_manager_type
+ -drmserver_service
-healthd_service
-keystore_service
-mediaserver_service
+ -nfc_service
-radio_service
-system_server_service
-surfaceflinger_service
@@ -418,6 +422,7 @@
-network_score_service
-notification_service
-package_service
+ -permission_service
-power_service
-registry_service
-sensorservice_service
diff --git a/untrusted_app.te b/untrusted_app.te
index bb93526..91cb46a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -82,18 +82,27 @@
-assetatlas_service
-audio_service
-backup_service
+ -battery_service
-batterystats_service
-bluetooth_manager_service
-connectivity_service
-content_service
+ -country_detector_service
+ -default_android_service
-device_policy_service
-display_service
-dropbox_service
-input_method_service
-input_service
-jobscheduler_service
+ -launcherapps_service
-location_service
+ -lock_settings_service
+ -media_router_service
+ -media_session_service
+ -meminfo_service
-mount_service
+ -netpolicy_service
-netstats_service
-network_management_service
-network_score_service
@@ -101,13 +110,18 @@
-persistent_data_block_service
-power_service
-registry_service
+ -search_service
+ -sensorservice_service
-textservices_service
-trust_service
-uimode_service
-user_service
-vibrator_service
+ -voiceinteraction_service
+ -wallpaper_service
-webviewupdate_service
-wifi_service
+ -wifip2p_service
}:service_manager find;
###