Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
This commit is contained in:
dcashman
Nick Kralevich
parent
9bef25026b
commit
03a6f64f95
11 changed files with 20 additions and 49 deletions
|
|
@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
|
||||||
service_manager_local_audit_domain(bluetooth)
|
service_manager_local_audit_domain(bluetooth)
|
||||||
auditallow bluetooth {
|
auditallow bluetooth {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-power_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-user_service
|
-user_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
|
||||||
|
|
@ -50,12 +50,6 @@ allow drmserver oemfs:dir search;
|
||||||
allow drmserver oemfs:file r_file_perms;
|
allow drmserver oemfs:file r_file_perms;
|
||||||
|
|
||||||
allow drmserver drmserver_service:service_manager { add find };
|
allow drmserver drmserver_service:service_manager { add find };
|
||||||
allow drmserver tmp_system_server_service:service_manager find;
|
allow drmserver permission_service:service_manager find;
|
||||||
|
|
||||||
service_manager_local_audit_domain(drmserver)
|
|
||||||
auditallow drmserver {
|
|
||||||
tmp_system_server_service
|
|
||||||
-permission_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
selinux_check_access(drmserver)
|
selinux_check_access(drmserver)
|
||||||
|
|
|
||||||
|
|
@ -83,15 +83,15 @@ allow mediaserver appops_service:service_manager find;
|
||||||
allow mediaserver batterystats_service:service_manager find;
|
allow mediaserver batterystats_service:service_manager find;
|
||||||
allow mediaserver drmserver_service:service_manager find;
|
allow mediaserver drmserver_service:service_manager find;
|
||||||
allow mediaserver mediaserver_service:service_manager { add find };
|
allow mediaserver mediaserver_service:service_manager { add find };
|
||||||
|
allow mediaserver permission_service:service_manager find;
|
||||||
|
allow mediaserver power_service:service_manager find;
|
||||||
|
allow mediaserver processinfo_service:service_manager find;
|
||||||
allow mediaserver surfaceflinger_service:service_manager find;
|
allow mediaserver surfaceflinger_service:service_manager find;
|
||||||
allow mediaserver tmp_system_server_service:service_manager find;
|
allow mediaserver tmp_system_server_service:service_manager find;
|
||||||
|
|
||||||
service_manager_local_audit_domain(mediaserver)
|
service_manager_local_audit_domain(mediaserver)
|
||||||
auditallow mediaserver {
|
auditallow mediaserver {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-permission_service
|
|
||||||
-power_service
|
|
||||||
-processinfo_service
|
|
||||||
-scheduling_policy_service
|
-scheduling_policy_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
|
|
||||||
2
nfc.te
2
nfc.te
|
|
@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find;
|
||||||
service_manager_local_audit_domain(nfc)
|
service_manager_local_audit_domain(nfc)
|
||||||
auditallow nfc {
|
auditallow nfc {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-power_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-trust_service
|
-trust_service
|
||||||
-user_service
|
-user_service
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ allow platform_app cache_file:file create_file_perms;
|
||||||
|
|
||||||
allow platform_app drmserver_service:service_manager find;
|
allow platform_app drmserver_service:service_manager find;
|
||||||
allow platform_app mediaserver_service:service_manager find;
|
allow platform_app mediaserver_service:service_manager find;
|
||||||
|
allow platform_app persistent_data_block_service:service_manager find;
|
||||||
allow platform_app radio_service:service_manager find;
|
allow platform_app radio_service:service_manager find;
|
||||||
allow platform_app surfaceflinger_service:service_manager find;
|
allow platform_app surfaceflinger_service:service_manager find;
|
||||||
allow platform_app tmp_system_server_service:service_manager find;
|
allow platform_app tmp_system_server_service:service_manager find;
|
||||||
|
|
@ -39,9 +40,6 @@ allow platform_app system_api_service:service_manager find;
|
||||||
service_manager_local_audit_domain(platform_app)
|
service_manager_local_audit_domain(platform_app)
|
||||||
auditallow platform_app {
|
auditallow platform_app {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-notification_service
|
|
||||||
-power_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-search_service
|
-search_service
|
||||||
-sensorservice_service
|
-sensorservice_service
|
||||||
|
|
|
||||||
3
radio.te
3
radio.te
|
|
@ -41,9 +41,6 @@ allow radio system_api_service:service_manager find;
|
||||||
service_manager_local_audit_domain(radio)
|
service_manager_local_audit_domain(radio)
|
||||||
auditallow radio {
|
auditallow radio {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-notification_service
|
|
||||||
-power_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-trust_service
|
-trust_service
|
||||||
-user_service
|
-user_service
|
||||||
|
|
|
||||||
20
service.te
20
service.te
|
|
@ -62,16 +62,16 @@ type midi_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type mount_service, app_api_service, system_server_service, service_manager_type;
|
type mount_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type netpolicy_service, app_api_service, system_server_service, service_manager_type;
|
type netpolicy_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type netstats_service, system_api_service, system_server_service, service_manager_type;
|
type netstats_service, system_api_service, system_server_service, service_manager_type;
|
||||||
type network_management_service, tmp_system_server_service, service_manager_type;
|
type network_management_service, system_api_service, system_server_service, service_manager_type;
|
||||||
type network_score_service, tmp_system_server_service, service_manager_type;
|
type network_score_service, system_api_service, system_server_service, service_manager_type;
|
||||||
type notification_service, tmp_system_server_service, service_manager_type;
|
type notification_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type package_service, tmp_system_server_service, service_manager_type;
|
type package_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type permission_service, tmp_system_server_service, service_manager_type;
|
type permission_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type persistent_data_block_service, tmp_system_server_service, service_manager_type;
|
type persistent_data_block_service, system_server_service, service_manager_type;
|
||||||
type power_service, tmp_system_server_service, service_manager_type;
|
type power_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type print_service, tmp_system_server_service, service_manager_type;
|
type print_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type processinfo_service, tmp_system_server_service, service_manager_type;
|
type processinfo_service, system_server_service, service_manager_type;
|
||||||
type procstats_service, tmp_system_server_service, service_manager_type;
|
type procstats_service, app_api_service, system_server_service, service_manager_type;
|
||||||
type restrictions_service, tmp_system_server_service, service_manager_type;
|
type restrictions_service, tmp_system_server_service, service_manager_type;
|
||||||
type rttmanager_service, tmp_system_server_service, service_manager_type;
|
type rttmanager_service, tmp_system_server_service, service_manager_type;
|
||||||
type samplingprofiler_service, system_server_service, service_manager_type;
|
type samplingprofiler_service, system_server_service, service_manager_type;
|
||||||
|
|
|
||||||
|
|
@ -60,14 +60,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# media.player service
|
# media.player service
|
||||||
allow surfaceflinger mediaserver_service:service_manager find;
|
allow surfaceflinger mediaserver_service:service_manager find;
|
||||||
|
allow surfaceflinger permission_service:service_manager find;
|
||||||
|
allow surfaceflinger power_service:service_manager find;
|
||||||
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
||||||
allow surfaceflinger tmp_system_server_service:service_manager find;
|
allow surfaceflinger tmp_system_server_service:service_manager find;
|
||||||
|
|
||||||
service_manager_local_audit_domain(surfaceflinger)
|
service_manager_local_audit_domain(surfaceflinger)
|
||||||
auditallow surfaceflinger {
|
auditallow surfaceflinger {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-permission_service
|
|
||||||
-power_service
|
|
||||||
-window_service
|
-window_service
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -60,11 +60,6 @@ allow system_app system_api_service:service_manager find;
|
||||||
service_manager_local_audit_domain(system_app)
|
service_manager_local_audit_domain(system_app)
|
||||||
auditallow system_app {
|
auditallow system_app {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-network_score_service
|
|
||||||
-notification_service
|
|
||||||
-power_service
|
|
||||||
-print_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-restrictions_service
|
-restrictions_service
|
||||||
-sensorservice_service
|
-sensorservice_service
|
||||||
|
|
|
||||||
|
|
@ -376,12 +376,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
|
||||||
service_manager_local_audit_domain(system_server)
|
service_manager_local_audit_domain(system_server)
|
||||||
auditallow system_server {
|
auditallow system_server {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-network_score_service
|
|
||||||
-notification_service
|
|
||||||
-package_service
|
|
||||||
-permission_service
|
|
||||||
-power_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-sensorservice_service
|
-sensorservice_service
|
||||||
-statusbar_service
|
-statusbar_service
|
||||||
|
|
|
||||||
|
|
@ -87,15 +87,12 @@ allow untrusted_app app_api_service:service_manager find;
|
||||||
# TODO: remove this once priv-apps are no longer running in untrusted_app
|
# TODO: remove this once priv-apps are no longer running in untrusted_app
|
||||||
allow untrusted_app system_api_service:service_manager find;
|
allow untrusted_app system_api_service:service_manager find;
|
||||||
|
|
||||||
|
# TODO: remove and replace with specific package that accesses this
|
||||||
|
allow untrusted_app persistent_data_block_service:service_manager find;
|
||||||
|
|
||||||
service_manager_local_audit_domain(untrusted_app)
|
service_manager_local_audit_domain(untrusted_app)
|
||||||
auditallow untrusted_app {
|
auditallow untrusted_app {
|
||||||
tmp_system_server_service
|
tmp_system_server_service
|
||||||
-network_management_service
|
|
||||||
-network_score_service
|
|
||||||
-notification_service
|
|
||||||
-persistent_data_block_service
|
|
||||||
-power_service
|
|
||||||
-procstats_service
|
|
||||||
-registry_service
|
-registry_service
|
||||||
-rttmanager_service
|
-rttmanager_service
|
||||||
-search_service
|
-search_service
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue