Clarify priv_app.te.
No semantic changes. Just trying to make this easier to understand:
- Separate out common bundles of services from individual services
(the naming doesn't make this obvious).
- Comment the common ones.
- Put related binder_call and service_manager:find rules together.
Test: Builds
Change-Id: Iba4a85a464da032e35450abff0febcdcf433df48
diff --git a/private/priv_app.te b/private/priv_app.te
index ad39eb1..004908c 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -30,7 +30,10 @@
allow priv_app privapp_data_file:lnk_file create_file_perms;
+# Priv apps can find services that expose both @SystemAPI and normal APIs.
allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
@@ -46,11 +49,10 @@
allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-allow priv_app gpu_service:service_manager find;
# Allow privileged apps to interact with gpuservice
binder_call(priv_app, gpuservice)
+allow priv_app gpu_service:service_manager find;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;