Merge "Remove known system_server service accesses from auditing."

platform_app.te

@@ -36,12 +36,24 @@ allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
 
 # address tmp_system_server_service accesses
-allow platform_app input_service:service_manager find;
+allow platform_app {
-allow platform_app lock_settings_service:service_manager find;
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+    input_service
+    lock_settings_service
+    mount_service
+}:service_manager find;
 
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
     -input_service
     -lock_settings_service
+    -mount_service
 }:service_manager find;

system_app.te

@@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
 
+# address tmp_system_server_service accesses
+allow system_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+}:service_manager find;
+
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
+}:service_manager find;
+
 allow system_app keystore:keystore_key {
 	test
 	get

system_server.te

@@ -383,17 +383,30 @@ auditallow system_server {
     -radio_service
     -system_server_service
     -surfaceflinger_service
+    -tmp_system_server_service
 }:service_manager find;
 
 # address tmp_system_server_service accesses
-allow system_server dreams_service:service_manager find;
+allow system_server {
-allow system_server mount_service:service_manager find;
+    account_service
+    backup_service
+    dreams_service
+    mount_service
+    package_service
+    wallpaper_service
+    wifi_service
+}:service_manager find;
 
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
+    -account_service
+    -backup_service
     -dreams_service
     -mount_service
+    -package_service
+    -wallpaper_service
+    -wifi_service
 }:service_manager find;
 
 allow system_server keystore:keystore_key {

untrusted_app.te

@@ -74,31 +74,40 @@ allow untrusted_app tmp_system_server_service:service_manager find;
 
 # address tmp_system_server_service accesses
 service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app accessibility_service:service_manager find;
+allow untrusted_app {
-allow untrusted_app account_service:service_manager find;
+    accessibility_service
-allow untrusted_app activity_service:service_manager find;
+    account_service
-allow untrusted_app appops_service:service_manager find;
+    activity_service
-allow untrusted_app appwidget_service:service_manager find;
+    appops_service
-allow untrusted_app assetatlas_service:service_manager find;
+    appwidget_service
-allow untrusted_app audio_service:service_manager find;
+    assetatlas_service
-allow untrusted_app bluetooth_manager_service:service_manager find;
+    audio_service
-allow untrusted_app connectivity_service:service_manager find;
+    backup_service
-allow untrusted_app content_service:service_manager find;
+    batterystats_service
-allow untrusted_app device_policy_service:service_manager find;
+    bluetooth_manager_service
-allow untrusted_app display_service:service_manager find;
+    connectivity_service
-allow untrusted_app dropbox_service:service_manager find;
+    content_service
-allow untrusted_app input_method_service:service_manager find;
+    device_policy_service
-allow untrusted_app input_service:service_manager find;
+    display_service
-allow untrusted_app jobscheduler_service:service_manager find;
+    dropbox_service
-allow untrusted_app notification_service:service_manager find;
+    input_method_service
-allow untrusted_app persistent_data_block_service:service_manager find;
+    input_service
-allow untrusted_app power_service:service_manager find;
+    jobscheduler_service
-allow untrusted_app registry_service:service_manager find;
+    location_service
-allow untrusted_app textservices_service:service_manager find;
+    mount_service
-allow untrusted_app trust_service:service_manager find;
+    netstats_service
-allow untrusted_app user_service:service_manager find;
+    network_score_service
-allow untrusted_app webviewupdate_service:service_manager find;
+    notification_service
-allow untrusted_app wifi_service:service_manager find;
+    persistent_data_block_service
+    power_service
+    registry_service
+    textservices_service
+    trust_service
+    uimode_service
+    user_service
+    webviewupdate_service
+    wifi_service
+}:service_manager find;
 
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
@@ -110,6 +119,8 @@ auditallow untrusted_app {
     -appwidget_service
     -assetatlas_service
     -audio_service
+    -backup_service
+    -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
@@ -119,12 +130,17 @@ auditallow untrusted_app {
     -input_method_service
     -input_service
     -jobscheduler_service
+    -location_service
+    -mount_service
+    -netstats_service
+    -network_score_service
     -notification_service
     -persistent_data_block_service
     -power_service
     -registry_service
     -textservices_service
     -trust_service
+    -uimode_service
     -user_service
     -webviewupdate_service
     -wifi_service