commit b4f62b0433de14e55f548d844922d381408ebcbd
author Dan Cashman <dcashman@google.com> Thu Apr 20 00:19:32 2017 +0000
committer android-build-merger <android-build-merger@google.com> Thu Apr 20 00:19:32 2017 +0000
tree 066b64f78d709fa2f494e3532db688be0e90d54d
parent 14bb96f2b190cf14e720b4809286847c52df4730
parent f8a18d47a1e13e4c43452bfeda1316fd874d0a4b

Merge "Remove vndservice_manager object classes." into oc-dev
am: f8a18d47a1

Change-Id: Iba5fd78ab1d578878cde958b489c57959ac6a290

private/access_vectors

diff --git a/private/access_vectors b/private/access_vectors
index 6b08d9e..74cf530 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@
 	list
 }
 
-class vndservice_manager
-{
-	add
-	find
-	list
-}
-
 class keystore_key
 {
 	get_state

private/security_classes

diff --git a/private/security_classes b/private/security_classes
index 5685bd6..02e3ef2 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@
 # hardware service manager      # userspace
 class hwservice_manager
 
-# vendor service manager        # userspace
-class vndservice_manager
-
 # Keystore Key
 class keystore_key              # userspace
 

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e75ce1a..97f75c0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,7 @@
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing vndservice_manager_type
 # when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
 
 ###
 ### neverallow rules
@@ -914,8 +914,17 @@
 } shell_data_file:file open;
 
 
-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+    servicemanager
+    vndservicemanager
+    }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+    hwservicemanager
+    }:hwservice_manager list;
 
 # only service_manager_types can be added to service_manager
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

public/su.te

diff --git a/public/su.te b/public/su.te
index 77fd071..47349d8 100644
--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@
   dontaudit su property_type:file *;
   dontaudit su service_manager_type:service_manager *;
   dontaudit su hwservice_manager_type:hwservice_manager *;
-  dontaudit su vndservice_manager_type:vndservice_manager *;
+  dontaudit su vndservice_manager_type:service_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su hwservicemanager:hwservice_manager list;
-  dontaudit su vndservicemanager:vndservice_manager list;
+  dontaudit su vndservicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
   dontaudit su domain:drmservice *;
   dontaudit su unlabeled:filesystem *;