Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
2015-04-08 13:04:59 -07:00 · 2015-04-08 13:04:59 -07:00 · 03a6f64f95
commit 03a6f64f95
parent 9bef25026b
11 changed files with 20 additions and 49 deletions
--- a/bluetooth.te
+++ b/bluetooth.te
@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    tmp_system_server_service
-    -network_management_service
-    -power_service
    -registry_service
    -user_service
 }:service_manager find;
--- a/drmserver.te
+++ b/drmserver.te
@ -50,12 +50,6 @@ allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;

 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
-    tmp_system_server_service
-    -permission_service
-}:service_manager find;
+allow drmserver permission_service:service_manager find;

 selinux_check_access(drmserver)
--- a/mediaserver.te
+++ b/mediaserver.te
@ -83,15 +83,15 @@ allow mediaserver appops_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
    tmp_system_server_service
-    -permission_service
-    -power_service
-    -processinfo_service
    -scheduling_policy_service
 }:service_manager find;

--- a/nfc.te
+++ b/nfc.te
@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
    tmp_system_server_service
-    -network_management_service
-    -power_service
    -registry_service
    -trust_service
    -user_service
--- a/platform_app.te
+++ b/platform_app.te
@ -30,6 +30,7 @@ allow platform_app cache_file:file create_file_perms;

 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
@ -39,9 +40,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
-    -network_management_service
-    -notification_service
-    -power_service
    -registry_service
    -search_service
    -sensorservice_service
--- a/radio.te
+++ b/radio.te
@ -41,9 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
    tmp_system_server_service
-    -network_management_service
-    -notification_service
-    -power_service
    -registry_service
    -trust_service
    -user_service
--- a/service.te
+++ b/service.te
@ -62,16 +62,16 @@ type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, app_api_service, system_server_service, service_manager_type;
 type netpolicy_service, app_api_service, system_server_service, service_manager_type;
 type netstats_service, system_api_service, system_server_service, service_manager_type;
-type network_management_service, tmp_system_server_service, service_manager_type;
-type network_score_service, tmp_system_server_service, service_manager_type;
-type notification_service, tmp_system_server_service, service_manager_type;
-type package_service, tmp_system_server_service, service_manager_type;
-type permission_service, tmp_system_server_service, service_manager_type;
-type persistent_data_block_service, tmp_system_server_service, service_manager_type;
-type power_service, tmp_system_server_service, service_manager_type;
-type print_service, tmp_system_server_service, service_manager_type;
-type processinfo_service, tmp_system_server_service, service_manager_type;
-type procstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, system_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_server_service, service_manager_type;
+type power_service, app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@ -60,14 +60,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;

 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(surfaceflinger)
 auditallow surfaceflinger {
    tmp_system_server_service
-    -permission_service
-    -power_service
    -window_service
 }:service_manager find;

--- a/system_app.te
+++ b/system_app.te
@ -60,11 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -power_service
-    -print_service
    -registry_service
    -restrictions_service
    -sensorservice_service
--- a/system_server.te
+++ b/system_server.te
@ -376,12 +376,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -package_service
-    -permission_service
-    -power_service
    -registry_service
    -sensorservice_service
    -statusbar_service
--- a/untrusted_app.te
+++ b/untrusted_app.te
@ -87,15 +87,12 @@ allow untrusted_app app_api_service:service_manager find;
 # TODO: remove this once priv-apps are no longer running in untrusted_app
 allow untrusted_app system_api_service:service_manager find;

+# TODO: remove and replace with specific package that accesses this
+allow untrusted_app persistent_data_block_service:service_manager find;
+
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -persistent_data_block_service
-    -power_service
-    -procstats_service
    -registry_service
    -rttmanager_service
    -search_service