Start locking down access to services from ephemeral apps This starts with the reduction in the number of services that ephemeral apps can access. Prior to this commit, ephemeral apps were permitted to access most of the service_manager services accessible by conventional apps. This commit reduces this set by removing access from ephemeral apps to: * gatekeeper_service, * sec_key_att_app_id_provider_service, * wallpaper_service, * wifiaware_service, * wifip2p_service, * wifi_service. Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine. Bug: 33349998 Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3

commit: 6237d8b787adc5d685e8ce2eb983182add58aadb [log] [tgz]
author: Alex Klyubin <klyubin@google.com> Tue Feb 28 13:59:06 2017 -0800
committer: Alex Klyubin <klyubin@google.com> Thu Mar 02 10:23:01 2017 -0800
tree: 55a99279ed3f14ee32f2b8ca6eea6dc470b0b044
parent: ee0b8cd9fb3770e6a7c3f354f6023e973e676f62 [diff]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index b4a2181..2b94827 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -20,8 +20,7 @@
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
-# TODO: Replace app_api_service with a smaller ephemeral_api_service
-allow ephemeral_app app_api_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
 
 ###
 ### neverallow rules
commit	6237d8b787adc5d685e8ce2eb983182add58aadb	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Tue Feb 28 13:59:06 2017 -0800
committer	Alex Klyubin <klyubin@google.com>	Thu Mar 02 10:23:01 2017 -0800
tree	55a99279ed3f14ee32f2b8ca6eea6dc470b0b044
parent	ee0b8cd9fb3770e6a7c3f354f6023e973e676f62 [diff]