commit 4a24475b9d8aa9de9c3e991cf8e484830f28ce9d
author Riley Spahn <rileyspahn@google.com> Fri Jul 18 09:24:13 2014 -0700
committer Nick Kralevich <nnk@google.com> Fri Jul 18 12:24:36 2014 -0700
tree 11320cf6b84e0245a9ef674cdcaa0fc9d9461f38
parent 14aa7c06088205f171aaaac15941c49ffa5f101b

Further refined service_manager auditallow statements.

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc2050959dd353154bf33fa0c2b0612da9c6e)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index 8ba56b0..56fe170 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,7 @@
 auditallow bluetooth {
     service_manager_type
     -bluetooth_service
+    -radio_service
     -system_server_service
 }:service_manager find;
 

drmserver.te

diff --git a/drmserver.te b/drmserver.te
index 12e3ac7..14b2f49 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -49,4 +49,8 @@
 
 # Audited locally.
 service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
+auditallow drmserver {
+    service_manager_type
+    -drmserver_service
+    -system_server_service
+}:service_manager find;

dumpstate.te

diff --git a/dumpstate.te b/dumpstate.te
index 279fd98..242cb93 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -96,3 +96,18 @@
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+    service_manager_type
+    -drmserver_service
+    -healthd_service
+    -inputflinger_service
+    -keystore_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_app_service
+    -system_server_service
+}:service_manager find;

isolated_app.te

diff --git a/isolated_app.te b/isolated_app.te
index 27b0e40..5929b25 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,4 +21,9 @@
 
 # Audited locally.
 service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
+auditallow isolated_app {
+    service_manager_type
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;

nfc.te

diff --git a/nfc.te b/nfc.te
index c32e9d5..2b851a2 100644
--- a/nfc.te
+++ b/nfc.te
@@ -21,5 +21,6 @@
 auditallow nfc {
     service_manager_type
     -mediaserver_service
+    -surfaceflinger_service
     -system_server_service
 }:service_manager find;

radio.te

diff --git a/radio.te b/radio.te
index 11691cb..5f45df3 100644
--- a/radio.te
+++ b/radio.te
@@ -35,5 +35,6 @@
     service_manager_type
     -mediaserver_service
     -radio_service
+    -surfaceflinger_service
     -system_server_service
 }:service_manager find;

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index ef7f1b5..c97b451 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -69,6 +69,7 @@
 auditallow untrusted_app {
     service_manager_type
     -drmserver_service
+    -keystore_service
     -mediaserver_service
     -nfc_service
     -radio_service