commit b075338d0e335eb2dbd786ae4f8e033e78eeca37
author dcashman <dcashman@google.com> Fri Apr 03 14:24:02 2015 -0700
committer dcashman <dcashman@google.com> Fri Apr 03 14:29:40 2015 -0700
tree aebb975e1a21f1bacca500f6d50d24335e858bb4
parent a0756d60d8f704ef9402269af4ea3fa71b86c8a5

Assign app_api_service attribute to services.

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index c670b17..ad44ff1 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -activity_service
-    -appops_service
     -audio_service
     -bluetooth_manager_service
     -connectivity_service

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index 77b54a3..6beae06 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,6 +78,8 @@
 # Connect to tee service.
 allow mediaserver tee:unix_stream_socket connectto;
 
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver surfaceflinger_service:service_manager find;
@@ -86,8 +88,6 @@
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
     tmp_system_server_service
-    -activity_service
-    -appops_service
     -batterystats_service
     -permission_service
     -power_service

nfc.te

diff --git a/nfc.te b/nfc.te
index 34e8228..556fd20 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,9 +30,6 @@
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
     tmp_system_server_service
-    -accessibility_service
-    -activity_service
-    -appops_service
     -batterystats_service
     -bluetooth_manager_service
     -connectivity_service

platform_app.te

diff --git a/platform_app.te b/platform_app.te
index d16ea1b..7dedc55 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,10 +39,6 @@
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
     -appwidget_service
     -assetatlas_service
     -audio_service

radio.te

diff --git a/radio.te b/radio.te
index 19a9aec..5b158de 100644
--- a/radio.te
+++ b/radio.te
@@ -41,10 +41,6 @@
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
     -assetatlas_service
     -bluetooth_manager_service
     -connectivity_service

service.te

diff --git a/service.te b/service.te
index eafe163..e0bcc2f 100644
--- a/service.te
+++ b/service.te
@@ -11,11 +11,11 @@
 type system_app_service,        service_manager_type;
 
 # system_server_services broken down
-type accessibility_service, tmp_system_server_service, service_manager_type;
-type account_service, tmp_system_server_service, service_manager_type;
-type activity_service, tmp_system_server_service, service_manager_type;
+type accessibility_service, app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, system_server_service, service_manager_type;
 type alarm_service, tmp_system_server_service, service_manager_type;
-type appops_service, tmp_system_server_service, service_manager_type;
+type appops_service, app_api_service, system_server_service, service_manager_type;
 type appwidget_service, tmp_system_server_service, service_manager_type;
 type assetatlas_service, tmp_system_server_service, service_manager_type;
 type audio_service, tmp_system_server_service, service_manager_type;

system_app.te

diff --git a/system_app.te b/system_app.te
index 6e91dd0..eebc644 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,10 +60,6 @@
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
     -appwidget_service
     -assetatlas_service
     -audio_service

system_server.te

diff --git a/system_server.te b/system_server.te
index c80e185..644ff05 100644
--- a/system_server.te
+++ b/system_server.te
@@ -370,11 +370,7 @@
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
     -alarm_service
-    -appops_service
     -assetatlas_service
     -audio_service
     -backup_service

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index b090fe4..f0961cb 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,10 +90,6 @@
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
     -appwidget_service
     -assetatlas_service
     -audio_service