Allow vendor apps to use surfaceflinger_service
Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.
Addresses:
avc: denied { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc: denied { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 451d27a..41867ae 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -47,7 +47,6 @@
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 1693736..eeb022b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -28,7 +28,6 @@
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 63f56c8..5a5e701 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -19,7 +19,6 @@
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
diff --git a/private/nfc.te b/private/nfc.te
index b41558c..56446f4 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -21,7 +21,6 @@
allow nfc mediaserver_service:service_manager find;
allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 884c436..ee0590c 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -53,7 +53,6 @@
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
allow platform_app thermal_service:service_manager find;
allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index f4cfc17..fce2c90 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -32,7 +32,6 @@
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
allow priv_app app_api_service:service_manager find;
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index cce589e..f96cae0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -75,7 +75,6 @@
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index 7ed3881..60634ae 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -34,7 +34,6 @@
allow untrusted_v2_app mediadrmserver_service:service_manager find;
allow untrusted_v2_app nfc_service:service_manager find;
allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
# TODO: potentially provide a tighter list of services here
allow untrusted_v2_app app_api_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index 51f4081..d283006 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -551,7 +551,6 @@
-mediaserver_service
-nfc_service
-radio_service
- -surfaceflinger_service
-virtual_touchpad_service
-vr_hwc_service
-vr_manager_service
diff --git a/public/radio.te b/public/radio.te
index 6f29a70..094d39b 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -30,7 +30,6 @@
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 3b9d60b..bc1244a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,7 +23,7 @@
type radio_service, service_manager_type;
type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;