From a30464c06e78e3e943788d4750b47f82d049938c Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 21 Jan 2020 10:18:57 -0800
Subject: [PATCH] More neverallows for default_android_service.

We don't want to accidentally allow this, and a neverallow also means
that the issue will be found during development, instead of review.

Fixes: 148081219
Test: compile policy only
Change-Id: I57990a2a4ab9e5988b09dae2dd6a710ce8f53800
---
 private/atrace.te     | 1 +
 private/system_app.te | 1 +
 public/domain.te      | 6 +++---
 public/dumpstate.te   | 1 +
 public/shell.te       | 1 +
 public/traceur_app.te | 1 +
 6 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/private/atrace.te b/private/atrace.te
index 2545c8b5d..ad7d177e6 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -37,6 +37,7 @@ allow atrace {
   -installd_service
   -vold_service
   -lpdump_service
+  -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
 
diff --git a/private/system_app.te b/private/system_app.te
index ee18ab27d..e5d7d1845 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -93,6 +93,7 @@ allow system_app {
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services system_app should not be accessing.
 dontaudit system_app {
diff --git a/public/domain.te b/public/domain.te
index feb043512..72ec0760a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -500,9 +500,9 @@ neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmou
 # system_app_service rather than the generic type.
 # New service_types are defined in {,hw,vnd}service.te and new mappings
 # from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;
 
 # Looking up the base class/interface of all HwBinder services is a bad idea.
 # hwservicemanager currently offer such lookups only to make it so that security
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 7342856c3..824be5dc6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -230,6 +230,7 @@ allow dumpstate {
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services dumpstate should not be accessing.
 dontaudit dumpstate {
diff --git a/public/shell.te b/public/shell.te
index 532d05fd8..708959297 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -124,6 +124,7 @@ allow shell {
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 allow shell dumpstate:binder call;
 
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 5333015f3..7e2cc84a0 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -21,6 +21,7 @@ allow traceur_app {
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 
 # Allow traceur_app to use atrace HAL