Merge "Allow installd to move around private app data."
diff --git a/app.te b/app.te
index ffaae23..5e69888 100644
--- a/app.te
+++ b/app.te
@@ -19,7 +19,7 @@
allow appdomain zygote_exec:file rx_file_perms;
# gdbserver for ndk-gdb ptrace attaches to app process.
-allow { appdomain -isolated_app } self:process ptrace;
+allow appdomain self:process ptrace;
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
@@ -106,7 +106,7 @@
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.
-allow appdomain gpu_device:chr_file { rw_file_perms execute };
+allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
# Use the Binder.
binder_use(appdomain)
diff --git a/attributes b/attributes
index f35c83f..a9b211f 100644
--- a/attributes
+++ b/attributes
@@ -42,8 +42,7 @@
# All types used for property service
attribute property_type;
-# All service_manager types formerly given system_server_service type
-attribute tmp_system_server_service;
+# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps
diff --git a/bluetooth.te b/bluetooth.te
index bc2acef..890c1d9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,17 +53,9 @@
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth tmp_system_server_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
- tmp_system_server_service
- -registry_service
- -user_service
-}:service_manager find;
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/domain.te b/domain.te
index 5a3d3c9..87ec2ee 100644
--- a/domain.te
+++ b/domain.te
@@ -166,9 +166,6 @@
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-# log all access to specified system_server services
-auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
-
###
### neverallow rules
###
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 45bf7d9..5cc7cea 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -4,12 +4,20 @@
# gatekeeperd
init_daemon_domain(gatekeeperd)
binder_use(gatekeeperd)
-binder_service(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
+# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };
+# Need to add auth tokens to KeyStore
+allow gatekeeperd keystore_service:service_manager find;
+binder_call(gatekeeperd, keystore)
allow gatekeeperd keystore:keystore_key { add_auth };
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
+neverallow { domain -system_server } gatekeeperd:binder call;
diff --git a/isolated_app.te b/isolated_app.te
index 48bf3de..1cede96 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,7 +13,7 @@
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
+allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
@@ -35,3 +35,6 @@
-activity_service
-display_service
}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
diff --git a/mediaserver.te b/mediaserver.te
index 6497101..d269097 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -86,14 +86,8 @@
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
-allow mediaserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
- tmp_system_server_service
- -scheduling_policy_service
-}:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
diff --git a/nfc.te b/nfc.te
index e4a4ccb..8528b4f 100644
--- a/nfc.te
+++ b/nfc.te
@@ -23,19 +23,9 @@
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
-allow nfc tmp_system_server_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
- tmp_system_server_service
- -registry_service
- -trust_service
- -user_service
- -vibrator_service
-}:service_manager find;
-
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/platform_app.te b/platform_app.te
index 2943e6c..c152f47 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -33,23 +33,5 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
-
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
- tmp_system_server_service
- -registry_service
- -search_service
- -sensorservice_service
- -statusbar_service
- -trust_service
- -uimode_service
- -usb_service
- -user_service
- -vibrator_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
-}:service_manager find;
diff --git a/radio.te b/radio.te
index 469f1d9..92f18d2 100644
--- a/radio.te
+++ b/radio.te
@@ -34,16 +34,5 @@
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
-allow radio tmp_system_server_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
-
-service_manager_local_audit_domain(radio)
-auditallow radio {
- tmp_system_server_service
- -registry_service
- -trust_service
- -user_service
- -vibrator_service
- -wifi_service
-}:service_manager find;
diff --git a/service.te b/service.te
index fa4d56e..da01071 100644
--- a/service.te
+++ b/service.te
@@ -20,7 +20,7 @@
type appwidget_service, app_api_service, system_server_service, service_manager_type;
type assetatlas_service, app_api_service, system_server_service, service_manager_type;
type audio_service, app_api_service, system_server_service, service_manager_type;
-type backup_service, system_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
@@ -67,36 +67,36 @@
type notification_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, tmp_system_server_service, service_manager_type;
-type rttmanager_service, tmp_system_server_service, service_manager_type;
+type registry_service, app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, tmp_system_server_service, service_manager_type;
-type search_service, tmp_system_server_service, service_manager_type;
-type sensorservice_service, tmp_system_server_service, service_manager_type;
-type serial_service, tmp_system_server_service, service_manager_type;
-type servicediscovery_service, tmp_system_server_service, service_manager_type;
-type statusbar_service, tmp_system_server_service, service_manager_type;
-type task_service, tmp_system_server_service, service_manager_type;
-type registry_service, tmp_system_server_service, service_manager_type;
-type textservices_service, tmp_system_server_service, service_manager_type;
-type telecom_service, tmp_system_server_service, service_manager_type;
-type trust_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, system_server_service, service_manager_type;
+type trust_service, system_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, tmp_system_server_service, service_manager_type;
-type updatelock_service, tmp_system_server_service, service_manager_type;
-type usagestats_service, tmp_system_server_service, service_manager_type;
-type usb_service, tmp_system_server_service, service_manager_type;
-type user_service, tmp_system_server_service, service_manager_type;
-type vibrator_service, tmp_system_server_service, service_manager_type;
-type voiceinteraction_service, tmp_system_server_service, service_manager_type;
-type wallpaper_service, tmp_system_server_service, service_manager_type;
-type webviewupdate_service, tmp_system_server_service, service_manager_type;
-type wifip2p_service, tmp_system_server_service, service_manager_type;
+type uimode_service, app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, tmp_system_server_service, service_manager_type;
-type window_service, tmp_system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/shared_relro.te b/shared_relro.te
index c97ab5c..6a1dfd4 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -10,10 +10,4 @@
allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(shared_relro)
-auditallow shared_relro {
- tmp_system_server_service
- -webviewupdate_service
-}:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c83caf2..c85df82 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -63,13 +63,7 @@
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
- tmp_system_server_service
- -window_service
-}:service_manager find;
+allow surfaceflinger window_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index 9b4e29a..895ff71 100644
--- a/system_app.te
+++ b/system_app.te
@@ -53,25 +53,9 @@
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
-allow system_app tmp_system_server_service:service_manager find;
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
- tmp_system_server_service
- -registry_service
- -restrictions_service
- -sensorservice_service
- -textservices_service
- -uimode_service
- -usagestats_service
- -usb_service
- -user_service
- -vibrator_service
- -wifi_service
-}:service_manager find;
-
allow system_app keystore:keystore_key {
test
get
diff --git a/system_server.te b/system_server.te
index cb5d5cb..d8e5978 100644
--- a/system_server.te
+++ b/system_server.te
@@ -122,6 +122,7 @@
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, binderservicedomain)
+binder_call(system_server, gatekeeperd)
binder_call(system_server, appdomain)
binder_call(system_server, dumpstate)
binder_service(system_server)
@@ -371,27 +372,6 @@
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
-allow system_server tmp_system_server_service:service_manager { add find };
-
-service_manager_local_audit_domain(system_server)
-auditallow system_server {
- tmp_system_server_service
- -registry_service
- -sensorservice_service
- -statusbar_service
- -textservices_service
- -trust_service
- -uimode_service
- -updatelock_service
- -usagestats_service
- -user_service
- -vibrator_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
- -wifip2p_service
- -window_service
-}:service_manager find;
allow system_server keystore:keystore_key {
test
diff --git a/untrusted_app.te b/untrusted_app.te
index c94092a..5ad8c79 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,7 +81,6 @@
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app tmp_system_server_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
# TODO: remove this once priv-apps are no longer running in untrusted_app
@@ -90,27 +89,6 @@
# TODO: remove and replace with specific package that accesses this
allow untrusted_app persistent_data_block_service:service_manager find;
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
- tmp_system_server_service
- -registry_service
- -rttmanager_service
- -search_service
- -sensorservice_service
- -statusbar_service
- -textservices_service
- -trust_service
- -uimode_service
- -usagestats_service
- -user_service
- -vibrator_service
- -voiceinteraction_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
- -wifip2p_service
-}:service_manager find;
-
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;