Merge "Add system_api_service and app_api_service attributes."

commit: a0756d60d8f704ef9402269af4ea3fa71b86c8a5 [log] [tgz]
author: dcashman <dcashman@google.com> Fri Apr 03 19:01:20 2015 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Apr 03 19:01:21 2015 +0000
tree: 7ae01a54b16bab196465306e02eac50350e6d2d9
parent: 4f4a4754254e6e643edd9413e6398e01f36ebe5b [diff]
parent: d12993f0846744ae8188a299cb1bb135014f626a [diff]
diff --git a/attributes b/attributes
index af9af8e..f35c83f 100644
--- a/attributes
+++ b/attributes

@@ -44,6 +44,13 @@
 
 # All service_manager types formerly given system_server_service type
 attribute tmp_system_server_service;
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
 
 # All types used for services managed by service_manager.
 attribute service_manager_type;

diff --git a/bluetooth.te b/bluetooth.te
index 7d81e09..c670b17 100644
--- a/bluetooth.te
+++ b/bluetooth.te

@@ -53,8 +53,9 @@
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth system_server_service:service_manager find;
 allow bluetooth tmp_system_server_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
 
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {

diff --git a/drmserver.te b/drmserver.te
index e52d679..418ce39 100644
--- a/drmserver.te
+++ b/drmserver.te

@@ -50,7 +50,6 @@
 allow drmserver oemfs:file r_file_perms;
 
 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(drmserver)

diff --git a/mediaserver.te b/mediaserver.te
index 23abb0f..77b54a3 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -80,7 +80,6 @@
 
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 

diff --git a/nfc.te b/nfc.te
index de482f4..34e8228 100644
--- a/nfc.te
+++ b/nfc.te

@@ -23,8 +23,9 @@
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
-allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
 
 service_manager_local_audit_domain(nfc)
 auditallow nfc {

diff --git a/platform_app.te b/platform_app.te
index 92ac5ad..d16ea1b 100644
--- a/platform_app.te
+++ b/platform_app.te

@@ -32,8 +32,9 @@
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {

diff --git a/radio.te b/radio.te
index 4ecf43c..19a9aec 100644
--- a/radio.te
+++ b/radio.te

@@ -34,8 +34,9 @@
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
-allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
 
 service_manager_local_audit_domain(radio)
 auditallow radio {

diff --git a/service.te b/service.te
index 156e534..eafe163 100644
--- a/service.te
+++ b/service.te

@@ -10,8 +10,6 @@
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
 
-type system_server_service,     service_manager_type;
-
 # system_server_services broken down
 type accessibility_service, tmp_system_server_service, service_manager_type;
 type account_service, tmp_system_server_service, service_manager_type;
@@ -27,31 +25,31 @@
 type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
 type clipboard_service, tmp_system_server_service, service_manager_type;
 type IMms_service, tmp_system_server_service, service_manager_type;
-type IProxyService_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, system_api_service, system_server_service, service_manager_type;
 type commontime_management_service, tmp_system_server_service, service_manager_type;
 type connectivity_service, tmp_system_server_service, service_manager_type;
-type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
 type content_service, tmp_system_server_service, service_manager_type;
 type country_detector_service, tmp_system_server_service, service_manager_type;
-type cpuinfo_service, tmp_system_server_service, service_manager_type;
-type dbinfo_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, tmp_system_server_service, service_manager_type;
 type deviceidle_service, tmp_system_server_service, service_manager_type;
-type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, tmp_system_server_service, service_manager_type;
 type display_service, tmp_system_server_service, service_manager_type;
-type DockObserver_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, tmp_system_server_service, service_manager_type;
 type dropbox_service, tmp_system_server_service, service_manager_type;
 type ethernet_service, tmp_system_server_service, service_manager_type;
 type fingerprint_service, tmp_system_server_service, service_manager_type;
-type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, tmp_system_server_service, service_manager_type;
 type hardware_service, tmp_system_server_service, service_manager_type;
 type hdmi_control_service, tmp_system_server_service, service_manager_type;
 type input_method_service, tmp_system_server_service, service_manager_type;
 type input_service, tmp_system_server_service, service_manager_type;
-type imms_service, tmp_system_server_service, service_manager_type;
+type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;
 type location_service, tmp_system_server_service, service_manager_type;
@@ -59,8 +57,8 @@
 type media_projection_service, tmp_system_server_service, service_manager_type;
 type media_router_service, tmp_system_server_service, service_manager_type;
 type media_session_service, tmp_system_server_service, service_manager_type;
-type meminfo_service, tmp_system_server_service, service_manager_type;
-type midi_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, tmp_system_server_service, service_manager_type;
 type netpolicy_service, tmp_system_server_service, service_manager_type;
 type netstats_service, tmp_system_server_service, service_manager_type;
@@ -76,7 +74,7 @@
 type procstats_service, tmp_system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
-type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, tmp_system_server_service, service_manager_type;
 type search_service, tmp_system_server_service, service_manager_type;
 type sensorservice_service, tmp_system_server_service, service_manager_type;
@@ -86,8 +84,9 @@
 type task_service, tmp_system_server_service, service_manager_type;
 type registry_service, tmp_system_server_service, service_manager_type;
 type textservices_service, tmp_system_server_service, service_manager_type;
+type telecom_service, tmp_system_server_service, service_manager_type;
 type trust_service, tmp_system_server_service, service_manager_type;
-type tv_input_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, app_api_service, system_server_service, service_manager_type;
 type uimode_service, tmp_system_server_service, service_manager_type;
 type updatelock_service, tmp_system_server_service, service_manager_type;
 type usagestats_service, tmp_system_server_service, service_manager_type;
@@ -98,6 +97,6 @@
 type wallpaper_service, tmp_system_server_service, service_manager_type;
 type webviewupdate_service, tmp_system_server_service, service_manager_type;
 type wifip2p_service, tmp_system_server_service, service_manager_type;
-type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, tmp_system_server_service, service_manager_type;
 type window_service, tmp_system_server_service, service_manager_type;

diff --git a/service_contexts b/service_contexts
index 223f99f..322f349 100644
--- a/service_contexts
+++ b/service_contexts

@@ -106,7 +106,7 @@
 statusbar                                 u:object_r:statusbar_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0
-telecom                                   u:object_r:system_server_service:s0
+telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
 textservices                              u:object_r:textservices_service:s0
 trust                                     u:object_r:trust_service:s0

diff --git a/shared_relro.te b/shared_relro.te
index 1a7e2d0..c97ab5c 100644
--- a/shared_relro.te
+++ b/shared_relro.te

@@ -10,7 +10,6 @@
 allow shared_relro shared_relro_file:file create_file_perms;
 
 # Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(shared_relro)

diff --git a/surfaceflinger.te b/surfaceflinger.te
index a6ba5d9..007be96 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -61,7 +61,6 @@
 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(surfaceflinger)

diff --git a/system_app.te b/system_app.te
index 6740dcd..6e91dd0 100644
--- a/system_app.te
+++ b/system_app.te

@@ -53,8 +53,9 @@
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
-allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
+allow system_app app_api_service:service_manager find;
+allow system_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(system_app)
 auditallow system_app {

diff --git a/untrusted_app.te b/untrusted_app.te
index a93885a..b090fe4 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te

@@ -81,8 +81,11 @@
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
+allow untrusted_app app_api_service:service_manager find;
+
+# TODO: remove this once priv-apps are no longer running in untrusted_app
+allow untrusted_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
commit	a0756d60d8f704ef9402269af4ea3fa71b86c8a5	[log] [tgz]
author	dcashman <dcashman@google.com>	Fri Apr 03 19:01:20 2015 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Apr 03 19:01:21 2015 +0000
tree	7ae01a54b16bab196465306e02eac50350e6d2d9
parent	4f4a4754254e6e643edd9413e6398e01f36ebe5b [diff]
parent	d12993f0846744ae8188a299cb1bb135014f626a [diff]