commit 2aa8042f9db1eac2fb19f479f9f0a5ebd76d9ab6
author Jeff Vander Stoep <jeffv@google.com> Wed May 13 14:40:49 2020 +0200
committer Jeffrey Vander Stoep <jeffv@google.com> Wed May 13 15:06:17 2020 +0000
tree 97771bf2435f6693f27bab91ee27c6823b1a94ac
parent 4ec6c0a48d4f337cefc293ace33bbd843b414290

incident_service: only disallow untrusted access

Allow device-specific domains to access the incident_service.

Test: build
Bug: 156479626
Change-Id: I3b368c09087e2d3542b70be5aa22f8ef47392221

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 66e9f69..1157187 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -257,3 +257,6 @@
   -untrusted_app_25
   -untrusted_app_27
 } mnt_sdcard_file:lnk_file *;
+
+# Only privileged apps may find the incident service
+neverallow all_untrusted_apps incident_service:service_manager find;

private/incidentd.te

diff --git a/private/incidentd.te b/private/incidentd.te
index 405684a..656f69f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -179,21 +179,6 @@
 ###
 ### neverallow rules
 ###
-
-# only specific domains can find the incident service
-neverallow {
-  domain
-  -dumpstate
-  -incident
-  -incidentd
-  -perfetto
-  -permissioncontroller_app
-  -priv_app
-  -statsd
-  -system_app
-  -system_server
-} incident_service:service_manager find;
-
 # only incidentd and the other root services in limited circumstances
 # can get to the files in /data/misc/incidents
 #