Make system_server_service an attribute.
Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
This commit is contained in:
dcashman
parent
34d32ea164
commit
4a89cdfa89
19 changed files with 303 additions and 86 deletions
|
|
@ -42,6 +42,9 @@ attribute port_type;
|
|||
# All types used for property service
|
||||
attribute property_type;
|
||||
|
||||
# All service_manager types formerly given system_server_service type
|
||||
attribute tmp_system_server_service;
|
||||
|
||||
# All types used for services managed by service_manager.
|
||||
attribute service_manager_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set;
|
|||
allow bluetooth bluetooth_service:service_manager find;
|
||||
allow bluetooth radio_service:service_manager find;
|
||||
allow bluetooth system_server_service:service_manager find;
|
||||
allow bluetooth tmp_system_server_service:service_manager find;
|
||||
|
||||
# already open bugreport file descriptors may be shared with
|
||||
# the bluetooth process, from a file in
|
||||
|
|
|
|||
|
|
@ -165,6 +165,9 @@ allow domain security_file:lnk_file r_file_perms;
|
|||
allow domain asec_public_file:file r_file_perms;
|
||||
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
|
||||
|
||||
# log all access to specified system_server services
|
||||
auditallow { domain -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -51,5 +51,6 @@ allow drmserver oemfs:file r_file_perms;
|
|||
|
||||
allow drmserver drmserver_service:service_manager { add find };
|
||||
allow drmserver system_server_service:service_manager find;
|
||||
allow drmserver tmp_system_server_service:service_manager find;
|
||||
|
||||
selinux_check_access(drmserver)
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ allow dumpstate {
|
|||
surfaceflinger_service
|
||||
system_app_service
|
||||
system_server_service
|
||||
tmp_system_server_service
|
||||
}:service_manager find;
|
||||
|
||||
allow dumpstate servicemanager:service_manager list;
|
||||
|
|
|
|||
|
|
@ -24,3 +24,19 @@ neverallow isolated_app gpu_device:file { rw_file_perms execute };
|
|||
allow isolated_app radio_service:service_manager find;
|
||||
allow isolated_app surfaceflinger_service:service_manager find;
|
||||
allow isolated_app system_server_service:service_manager find;
|
||||
allow isolated_app tmp_system_server_service:service_manager find;
|
||||
|
||||
# address tmp_system_server_service accesses
|
||||
allow isolated_app activity_service:service_manager find;
|
||||
allow isolated_app connectivity_service:service_manager find;
|
||||
allow isolated_app display_service:service_manager find;
|
||||
allow isolated_app dropbox_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(isolated_app)
|
||||
auditallow isolated_app {
|
||||
tmp_system_server_service
|
||||
-activity_service
|
||||
-connectivity_service
|
||||
-display_service
|
||||
-dropbox_service
|
||||
}:service_manager find;
|
||||
|
|
|
|||
|
|
@ -82,6 +82,22 @@ allow mediaserver drmserver_service:service_manager find;
|
|||
allow mediaserver mediaserver_service:service_manager { add find };
|
||||
allow mediaserver system_server_service:service_manager find;
|
||||
allow mediaserver surfaceflinger_service:service_manager find;
|
||||
allow mediaserver tmp_system_server_service:service_manager find;
|
||||
|
||||
# address tmp_system_server_service accesses
|
||||
allow mediaserver batterystats_service:service_manager find;
|
||||
allow mediaserver permission_service:service_manager find;
|
||||
allow mediaserver power_service:service_manager find;
|
||||
allow mediaserver scheduling_policy_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(mediaserver)
|
||||
auditallow mediaserver {
|
||||
tmp_system_server_service
|
||||
-batterystats_service
|
||||
-permission_service
|
||||
-power_service
|
||||
-scheduling_policy_service
|
||||
}:service_manager find;
|
||||
|
||||
# /oem access
|
||||
allow mediaserver oemfs:dir search;
|
||||
|
|
|
|||
1
nfc.te
1
nfc.te
|
|
@ -23,3 +23,4 @@ allow nfc mediaserver_service:service_manager find;
|
|||
allow nfc nfc_service:service_manager add;
|
||||
allow nfc surfaceflinger_service:service_manager find;
|
||||
allow nfc system_server_service:service_manager find;
|
||||
allow nfc tmp_system_server_service:service_manager find;
|
||||
|
|
|
|||
|
|
@ -33,3 +33,15 @@ allow platform_app mediaserver_service:service_manager find;
|
|||
allow platform_app radio_service:service_manager find;
|
||||
allow platform_app surfaceflinger_service:service_manager find;
|
||||
allow platform_app system_server_service:service_manager find;
|
||||
allow platform_app tmp_system_server_service:service_manager find;
|
||||
|
||||
# address tmp_system_server_service accesses
|
||||
allow platform_app input_service:service_manager find;
|
||||
allow platform_app lock_settings_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(platform_app)
|
||||
auditallow platform_app {
|
||||
tmp_system_server_service
|
||||
-input_service
|
||||
-lock_settings_service
|
||||
}:service_manager find;
|
||||
1
radio.te
1
radio.te
|
|
@ -34,3 +34,4 @@ allow radio mediaserver_service:service_manager find;
|
|||
allow radio radio_service:service_manager { add find };
|
||||
allow radio surfaceflinger_service:service_manager find;
|
||||
allow radio system_server_service:service_manager find;
|
||||
allow radio tmp_system_server_service:service_manager find;
|
||||
|
|
|
|||
88
service.te
88
service.te
|
|
@ -9,4 +9,92 @@ type nfc_service, service_manager_type;
|
|||
type radio_service, service_manager_type;
|
||||
type surfaceflinger_service, service_manager_type;
|
||||
type system_app_service, service_manager_type;
|
||||
|
||||
type system_server_service, service_manager_type;
|
||||
|
||||
# system_server_services broken down
|
||||
type accessibility_service, tmp_system_server_service, service_manager_type;
|
||||
type account_service, tmp_system_server_service, service_manager_type;
|
||||
type activity_service, tmp_system_server_service, service_manager_type;
|
||||
type alarm_service, tmp_system_server_service, service_manager_type;
|
||||
type appops_service, tmp_system_server_service, service_manager_type;
|
||||
type appwidget_service, tmp_system_server_service, service_manager_type;
|
||||
type assetatlas_service, tmp_system_server_service, service_manager_type;
|
||||
type audio_service, tmp_system_server_service, service_manager_type;
|
||||
type backup_service, tmp_system_server_service, service_manager_type;
|
||||
type batterystats_service, tmp_system_server_service, service_manager_type;
|
||||
type battery_service, tmp_system_server_service, service_manager_type;
|
||||
type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
|
||||
type clipboard_service, tmp_system_server_service, service_manager_type;
|
||||
type IMms_service, tmp_system_server_service, service_manager_type;
|
||||
type IProxyService_service, tmp_system_server_service, service_manager_type;
|
||||
type commontime_management_service, tmp_system_server_service, service_manager_type;
|
||||
type connectivity_service, tmp_system_server_service, service_manager_type;
|
||||
type consumer_ir_service, tmp_system_server_service, service_manager_type;
|
||||
type content_service, tmp_system_server_service, service_manager_type;
|
||||
type country_detector_service, tmp_system_server_service, service_manager_type;
|
||||
type cpuinfo_service, tmp_system_server_service, service_manager_type;
|
||||
type dbinfo_service, tmp_system_server_service, service_manager_type;
|
||||
type device_policy_service, tmp_system_server_service, service_manager_type;
|
||||
type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
|
||||
type diskstats_service, tmp_system_server_service, service_manager_type;
|
||||
type display_service, tmp_system_server_service, service_manager_type;
|
||||
type DockObserver_service, tmp_system_server_service, service_manager_type;
|
||||
type dreams_service, tmp_system_server_service, service_manager_type;
|
||||
type dropbox_service, tmp_system_server_service, service_manager_type;
|
||||
type ethernet_service, tmp_system_server_service, service_manager_type;
|
||||
type fingerprint_service, tmp_system_server_service, service_manager_type;
|
||||
type gfxinfo_service, tmp_system_server_service, service_manager_type;
|
||||
type hardware_service, tmp_system_server_service, service_manager_type;
|
||||
type hdmi_control_service, tmp_system_server_service, service_manager_type;
|
||||
type input_method_service, tmp_system_server_service, service_manager_type;
|
||||
type input_service, tmp_system_server_service, service_manager_type;
|
||||
type imms_service, tmp_system_server_service, service_manager_type;
|
||||
type jobscheduler_service, tmp_system_server_service, service_manager_type;
|
||||
type launcherapps_service, tmp_system_server_service, service_manager_type;
|
||||
type location_service, tmp_system_server_service, service_manager_type;
|
||||
type lock_settings_service, tmp_system_server_service, service_manager_type;
|
||||
type media_projection_service, tmp_system_server_service, service_manager_type;
|
||||
type media_router_service, tmp_system_server_service, service_manager_type;
|
||||
type media_session_service, tmp_system_server_service, service_manager_type;
|
||||
type meminfo_service, tmp_system_server_service, service_manager_type;
|
||||
type midi_service, tmp_system_server_service, service_manager_type;
|
||||
type mount_service, tmp_system_server_service, service_manager_type;
|
||||
type netpolicy_service, tmp_system_server_service, service_manager_type;
|
||||
type netstats_service, tmp_system_server_service, service_manager_type;
|
||||
type network_management_service, tmp_system_server_service, service_manager_type;
|
||||
type network_score_service, tmp_system_server_service, service_manager_type;
|
||||
type notification_service, tmp_system_server_service, service_manager_type;
|
||||
type package_service, tmp_system_server_service, service_manager_type;
|
||||
type permission_service, tmp_system_server_service, service_manager_type;
|
||||
type persistent_data_block_service, tmp_system_server_service, service_manager_type;
|
||||
type power_service, tmp_system_server_service, service_manager_type;
|
||||
type print_service, tmp_system_server_service, service_manager_type;
|
||||
type procstats_service, tmp_system_server_service, service_manager_type;
|
||||
type restrictions_service, tmp_system_server_service, service_manager_type;
|
||||
type rttmanager_service, tmp_system_server_service, service_manager_type;
|
||||
type samplingprofiler_service, tmp_system_server_service, service_manager_type;
|
||||
type scheduling_policy_service, tmp_system_server_service, service_manager_type;
|
||||
type search_service, tmp_system_server_service, service_manager_type;
|
||||
type sensorservice_service, tmp_system_server_service, service_manager_type;
|
||||
type serial_service, tmp_system_server_service, service_manager_type;
|
||||
type servicediscovery_service, tmp_system_server_service, service_manager_type;
|
||||
type statusbar_service, tmp_system_server_service, service_manager_type;
|
||||
type task_service, tmp_system_server_service, service_manager_type;
|
||||
type registry_service, tmp_system_server_service, service_manager_type;
|
||||
type textservices_service, tmp_system_server_service, service_manager_type;
|
||||
type trust_service, tmp_system_server_service, service_manager_type;
|
||||
type tv_input_service, tmp_system_server_service, service_manager_type;
|
||||
type uimode_service, tmp_system_server_service, service_manager_type;
|
||||
type updatelock_service, tmp_system_server_service, service_manager_type;
|
||||
type usagestats_service, tmp_system_server_service, service_manager_type;
|
||||
type usb_service, tmp_system_server_service, service_manager_type;
|
||||
type user_service, tmp_system_server_service, service_manager_type;
|
||||
type vibrator_service, tmp_system_server_service, service_manager_type;
|
||||
type voiceinteraction_service, tmp_system_server_service, service_manager_type;
|
||||
type wallpaper_service, tmp_system_server_service, service_manager_type;
|
||||
type webviewupdate_service, tmp_system_server_service, service_manager_type;
|
||||
type wifip2p_service, tmp_system_server_service, service_manager_type;
|
||||
type wifiscanner_service, tmp_system_server_service, service_manager_type;
|
||||
type wifi_service, tmp_system_server_service, service_manager_type;
|
||||
type window_service, tmp_system_server_service, service_manager_type;
|
||||
|
|
|
|||
170
service_contexts
170
service_contexts
|
|
@ -1,123 +1,123 @@
|
|||
accessibility u:object_r:system_server_service:s0
|
||||
account u:object_r:system_server_service:s0
|
||||
activity u:object_r:system_server_service:s0
|
||||
alarm u:object_r:system_server_service:s0
|
||||
accessibility u:object_r:accessibility_service:s0
|
||||
account u:object_r:account_service:s0
|
||||
activity u:object_r:activity_service:s0
|
||||
alarm u:object_r:alarm_service:s0
|
||||
android.security.keystore u:object_r:keystore_service:s0
|
||||
appops u:object_r:system_server_service:s0
|
||||
appwidget u:object_r:system_server_service:s0
|
||||
assetatlas u:object_r:system_server_service:s0
|
||||
audio u:object_r:system_server_service:s0
|
||||
backup u:object_r:system_server_service:s0
|
||||
appops u:object_r:appops_service:s0
|
||||
appwidget u:object_r:appwidget_service:s0
|
||||
assetatlas u:object_r:assetatlas_service:s0
|
||||
audio u:object_r:audio_service:s0
|
||||
backup u:object_r:backup_service:s0
|
||||
batteryproperties u:object_r:healthd_service:s0
|
||||
batterypropreg u:object_r:healthd_service:s0
|
||||
batterystats u:object_r:system_server_service:s0
|
||||
battery u:object_r:system_server_service:s0
|
||||
bluetooth_manager u:object_r:system_server_service:s0
|
||||
batterystats u:object_r:batterystats_service:s0
|
||||
battery u:object_r:battery_service:s0
|
||||
bluetooth_manager u:object_r:bluetooth_manager_service:s0
|
||||
bluetooth u:object_r:bluetooth_service:s0
|
||||
clipboard u:object_r:system_server_service:s0
|
||||
com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
|
||||
com.android.net.IProxyService u:object_r:system_server_service:s0
|
||||
commontime_management u:object_r:system_server_service:s0
|
||||
clipboard u:object_r:clipboard_service:s0
|
||||
com.android.internal.telephony.mms.IMms u:object_r:IMms_service:s0
|
||||
com.android.net.IProxyService u:object_r:IProxyService_service:s0
|
||||
commontime_management u:object_r:commontime_management_service:s0
|
||||
common_time.clock u:object_r:mediaserver_service:s0
|
||||
common_time.config u:object_r:mediaserver_service:s0
|
||||
connectivity u:object_r:system_server_service:s0
|
||||
consumer_ir u:object_r:system_server_service:s0
|
||||
content u:object_r:system_server_service:s0
|
||||
country_detector u:object_r:system_server_service:s0
|
||||
cpuinfo u:object_r:system_server_service:s0
|
||||
dbinfo u:object_r:system_server_service:s0
|
||||
device_policy u:object_r:system_server_service:s0
|
||||
devicestoragemonitor u:object_r:system_server_service:s0
|
||||
diskstats u:object_r:system_server_service:s0
|
||||
connectivity u:object_r:connectivity_service:s0
|
||||
consumer_ir u:object_r:consumer_ir_service:s0
|
||||
content u:object_r:content_service:s0
|
||||
country_detector u:object_r:country_detector_service:s0
|
||||
cpuinfo u:object_r:cpuinfo_service:s0
|
||||
dbinfo u:object_r:dbinfo_service:s0
|
||||
device_policy u:object_r:device_policy_service:s0
|
||||
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
|
||||
diskstats u:object_r:diskstats_service:s0
|
||||
display.qservice u:object_r:surfaceflinger_service:s0
|
||||
display u:object_r:system_server_service:s0
|
||||
DockObserver u:object_r:system_server_service:s0
|
||||
dreams u:object_r:system_server_service:s0
|
||||
display u:object_r:display_service:s0
|
||||
DockObserver u:object_r:DockObserver_service:s0
|
||||
dreams u:object_r:dreams_service:s0
|
||||
drm.drmManager u:object_r:drmserver_service:s0
|
||||
dropbox u:object_r:system_server_service:s0
|
||||
ethernet u:object_r:system_server_service:s0
|
||||
fingerprint u:object_r:system_server_service:s0
|
||||
gfxinfo u:object_r:system_server_service:s0
|
||||
hardware u:object_r:system_server_service:s0
|
||||
hdmi_control u:object_r:system_server_service:s0
|
||||
dropbox u:object_r:dropbox_service:s0
|
||||
ethernet u:object_r:ethernet_service:s0
|
||||
fingerprint u:object_r:fingerprint_service:s0
|
||||
gfxinfo u:object_r:gfxinfo_service:s0
|
||||
hardware u:object_r:hardware_service:s0
|
||||
hdmi_control u:object_r:hdmi_control_service:s0
|
||||
inputflinger u:object_r:inputflinger_service:s0
|
||||
input_method u:object_r:system_server_service:s0
|
||||
input u:object_r:system_server_service:s0
|
||||
input_method u:object_r:input_method_service:s0
|
||||
input u:object_r:input_service:s0
|
||||
iphonesubinfo_msim u:object_r:radio_service:s0
|
||||
iphonesubinfo2 u:object_r:radio_service:s0
|
||||
iphonesubinfo u:object_r:radio_service:s0
|
||||
ims u:object_r:radio_service:s0
|
||||
imms u:object_r:system_server_service:s0
|
||||
imms u:object_r:imms_service:s0
|
||||
isms_msim u:object_r:radio_service:s0
|
||||
isms2 u:object_r:radio_service:s0
|
||||
isms u:object_r:radio_service:s0
|
||||
isub u:object_r:radio_service:s0
|
||||
jobscheduler u:object_r:system_server_service:s0
|
||||
launcherapps u:object_r:system_server_service:s0
|
||||
location u:object_r:system_server_service:s0
|
||||
lock_settings u:object_r:system_server_service:s0
|
||||
jobscheduler u:object_r:jobscheduler_service:s0
|
||||
launcherapps u:object_r:launcherapps_service:s0
|
||||
location u:object_r:location_service:s0
|
||||
lock_settings u:object_r:lock_settings_service:s0
|
||||
media.audio_flinger u:object_r:mediaserver_service:s0
|
||||
media.audio_policy u:object_r:mediaserver_service:s0
|
||||
media.camera u:object_r:mediaserver_service:s0
|
||||
media.log u:object_r:mediaserver_service:s0
|
||||
media.player u:object_r:mediaserver_service:s0
|
||||
media.sound_trigger_hw u:object_r:mediaserver_service:s0
|
||||
media_projection u:object_r:system_server_service:s0
|
||||
media_router u:object_r:system_server_service:s0
|
||||
media_session u:object_r:system_server_service:s0
|
||||
meminfo u:object_r:system_server_service:s0
|
||||
mount u:object_r:system_server_service:s0
|
||||
netpolicy u:object_r:system_server_service:s0
|
||||
netstats u:object_r:system_server_service:s0
|
||||
network_management u:object_r:system_server_service:s0
|
||||
network_score u:object_r:system_server_service:s0
|
||||
media_projection u:object_r:media_projection_service:s0
|
||||
media_router u:object_r:media_router_service:s0
|
||||
media_session u:object_r:media_session_service:s0
|
||||
meminfo u:object_r:meminfo_service:s0
|
||||
midi u:object_r:midi_service:s0
|
||||
mount u:object_r:mount_service:s0
|
||||
netpolicy u:object_r:netpolicy_service:s0
|
||||
netstats u:object_r:netstats_service:s0
|
||||
network_management u:object_r:network_management_service:s0
|
||||
network_score u:object_r:network_score_service:s0
|
||||
nfc u:object_r:nfc_service:s0
|
||||
notification u:object_r:system_server_service:s0
|
||||
package u:object_r:system_server_service:s0
|
||||
permission u:object_r:system_server_service:s0
|
||||
persistent_data_block u:object_r:system_server_service:s0
|
||||
notification u:object_r:notification_service:s0
|
||||
package u:object_r:package_service:s0
|
||||
permission u:object_r:permission_service:s0
|
||||
persistent_data_block u:object_r:persistent_data_block_service:s0
|
||||
phone_msim u:object_r:radio_service:s0
|
||||
phone1 u:object_r:radio_service:s0
|
||||
phone2 u:object_r:radio_service:s0
|
||||
phone u:object_r:radio_service:s0
|
||||
power u:object_r:system_server_service:s0
|
||||
print u:object_r:system_server_service:s0
|
||||
procstats u:object_r:system_server_service:s0
|
||||
power u:object_r:power_service:s0
|
||||
print u:object_r:print_service:s0
|
||||
procstats u:object_r:procstats_service:s0
|
||||
radio.phonesubinfo u:object_r:radio_service:s0
|
||||
radio.phone u:object_r:radio_service:s0
|
||||
radio.sms u:object_r:radio_service:s0
|
||||
restrictions u:object_r:system_server_service:s0
|
||||
rttmanager u:object_r:system_server_service:s0
|
||||
samplingprofiler u:object_r:system_server_service:s0
|
||||
scheduling_policy u:object_r:system_server_service:s0
|
||||
search u:object_r:system_server_service:s0
|
||||
sensorservice u:object_r:system_server_service:s0
|
||||
serial u:object_r:system_server_service:s0
|
||||
servicediscovery u:object_r:system_server_service:s0
|
||||
restrictions u:object_r:restrictions_service:s0
|
||||
rttmanager u:object_r:rttmanager_service:s0
|
||||
samplingprofiler u:object_r:samplingprofiler_service:s0
|
||||
scheduling_policy u:object_r:scheduling_policy_service:s0
|
||||
search u:object_r:search_service:s0
|
||||
sensorservice u:object_r:sensorservice_service:s0
|
||||
serial u:object_r:serial_service:s0
|
||||
servicediscovery u:object_r:servicediscovery_service:s0
|
||||
simphonebook_msim u:object_r:radio_service:s0
|
||||
simphonebook2 u:object_r:radio_service:s0
|
||||
simphonebook u:object_r:radio_service:s0
|
||||
sip u:object_r:radio_service:s0
|
||||
statusbar u:object_r:system_server_service:s0
|
||||
statusbar u:object_r:statusbar_service:s0
|
||||
SurfaceFlinger u:object_r:surfaceflinger_service:s0
|
||||
task u:object_r:system_server_service:s0
|
||||
task u:object_r:task_service:s0
|
||||
telecom u:object_r:radio_service:s0
|
||||
telephony.registry u:object_r:system_server_service:s0
|
||||
textservices u:object_r:system_server_service:s0
|
||||
trust u:object_r:system_server_service:s0
|
||||
tv_input u:object_r:system_server_service:s0
|
||||
uimode u:object_r:system_server_service:s0
|
||||
updatelock u:object_r:system_server_service:s0
|
||||
usagestats u:object_r:system_server_service:s0
|
||||
usb u:object_r:system_server_service:s0
|
||||
user u:object_r:system_server_service:s0
|
||||
vibrator u:object_r:system_server_service:s0
|
||||
voiceinteraction u:object_r:system_server_service:s0
|
||||
wallpaper u:object_r:system_server_service:s0
|
||||
webviewupdate u:object_r:system_server_service:s0
|
||||
wifip2p u:object_r:system_server_service:s0
|
||||
wifiscanner u:object_r:system_server_service:s0
|
||||
wifi u:object_r:system_server_service:s0
|
||||
window u:object_r:system_server_service:s0
|
||||
|
||||
telephony.registry u:object_r:registry_service:s0
|
||||
textservices u:object_r:textservices_service:s0
|
||||
trust u:object_r:trust_service:s0
|
||||
tv_input u:object_r:tv_input_service:s0
|
||||
uimode u:object_r:uimode_service:s0
|
||||
updatelock u:object_r:updatelock_service:s0
|
||||
usagestats u:object_r:usagestats_service:s0
|
||||
usb u:object_r:usb_service:s0
|
||||
user u:object_r:user_service:s0
|
||||
vibrator u:object_r:vibrator_service:s0
|
||||
voiceinteraction u:object_r:voiceinteraction_service:s0
|
||||
wallpaper u:object_r:wallpaper_service:s0
|
||||
webviewupdate u:object_r:webviewupdate_service:s0
|
||||
wifip2p u:object_r:wifip2p_service:s0
|
||||
wifiscanner u:object_r:wifiscanner_service:s0
|
||||
wifi u:object_r:wifi_service:s0
|
||||
window u:object_r:window_service:s0
|
||||
* u:object_r:default_android_service:s0
|
||||
|
|
|
|||
|
|
@ -11,3 +11,4 @@ allow shared_relro shared_relro_file:file create_file_perms;
|
|||
|
||||
# Needs to contact the "webviewupdate" and "activity" services
|
||||
allow shared_relro system_server_service:service_manager find;
|
||||
allow shared_relro tmp_system_server_service:service_manager find;
|
||||
|
|
|
|||
1
shell.te
1
shell.te
|
|
@ -48,6 +48,7 @@ allow shell debug_prop:property_service set;
|
|||
allow shell powerctl_prop:property_service set;
|
||||
|
||||
allow shell system_server_service:service_manager find;
|
||||
allow shell tmp_system_server_service:service_manager find;
|
||||
|
||||
# systrace support - allow atrace to run
|
||||
# debugfs doesn't support labeling individual files, so we have
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
|
|||
allow surfaceflinger mediaserver_service:service_manager find;
|
||||
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
||||
allow surfaceflinger system_server_service:service_manager find;
|
||||
allow surfaceflinger tmp_system_server_service:service_manager find;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@ allow system_app radio_service:service_manager find;
|
|||
allow system_app surfaceflinger_service:service_manager find;
|
||||
allow system_app system_app_service:service_manager add;
|
||||
allow system_app system_server_service:service_manager find;
|
||||
allow system_app tmp_system_server_service:service_manager find;
|
||||
|
||||
allow system_app keystore:keystore_key {
|
||||
test
|
||||
|
|
|
|||
|
|
@ -370,6 +370,7 @@ allow system_server mediaserver_service:service_manager find;
|
|||
allow system_server radio_service:service_manager find;
|
||||
allow system_server system_server_service:service_manager { add find };
|
||||
allow system_server surfaceflinger_service:service_manager find;
|
||||
allow system_server tmp_system_server_service:service_manager { add find };
|
||||
|
||||
# TODO: Remove. Make up for previously lacking auditing.
|
||||
allow system_server service_manager_type:service_manager find;
|
||||
|
|
@ -383,6 +384,17 @@ auditallow system_server {
|
|||
-surfaceflinger_service
|
||||
}:service_manager find;
|
||||
|
||||
# address tmp_system_server_service accesses
|
||||
allow system_server dreams_service:service_manager find;
|
||||
allow system_server mount_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(system_server)
|
||||
auditallow system_server {
|
||||
tmp_system_server_service
|
||||
-dreams_service
|
||||
-mount_service
|
||||
}:service_manager find;
|
||||
|
||||
allow system_server keystore:keystore_key {
|
||||
test
|
||||
get
|
||||
|
|
|
|||
|
|
@ -109,7 +109,6 @@ typeattribute $1 appdomain;
|
|||
tmpfs_domain($1)
|
||||
# Map with PROT_EXEC.
|
||||
allow $1 $1_tmpfs:file execute;
|
||||
service_manager_local_audit_domain($1)
|
||||
')
|
||||
|
||||
#####################################
|
||||
|
|
|
|||
|
|
@ -70,6 +70,65 @@ allow untrusted_app nfc_service:service_manager find;
|
|||
allow untrusted_app radio_service:service_manager find;
|
||||
allow untrusted_app surfaceflinger_service:service_manager find;
|
||||
allow untrusted_app system_server_service:service_manager find;
|
||||
allow untrusted_app tmp_system_server_service:service_manager find;
|
||||
|
||||
# address tmp_system_server_service accesses
|
||||
service_manager_local_audit_domain(untrusted_app)
|
||||
allow untrusted_app accessibility_service:service_manager find;
|
||||
allow untrusted_app account_service:service_manager find;
|
||||
allow untrusted_app activity_service:service_manager find;
|
||||
allow untrusted_app appops_service:service_manager find;
|
||||
allow untrusted_app appwidget_service:service_manager find;
|
||||
allow untrusted_app assetatlas_service:service_manager find;
|
||||
allow untrusted_app audio_service:service_manager find;
|
||||
allow untrusted_app bluetooth_manager_service:service_manager find;
|
||||
allow untrusted_app connectivity_service:service_manager find;
|
||||
allow untrusted_app content_service:service_manager find;
|
||||
allow untrusted_app device_policy_service:service_manager find;
|
||||
allow untrusted_app display_service:service_manager find;
|
||||
allow untrusted_app dropbox_service:service_manager find;
|
||||
allow untrusted_app input_method_service:service_manager find;
|
||||
allow untrusted_app input_service:service_manager find;
|
||||
allow untrusted_app jobscheduler_service:service_manager find;
|
||||
allow untrusted_app notification_service:service_manager find;
|
||||
allow untrusted_app persistent_data_block_service:service_manager find;
|
||||
allow untrusted_app power_service:service_manager find;
|
||||
allow untrusted_app registry_service:service_manager find;
|
||||
allow untrusted_app textservices_service:service_manager find;
|
||||
allow untrusted_app trust_service:service_manager find;
|
||||
allow untrusted_app user_service:service_manager find;
|
||||
allow untrusted_app webviewupdate_service:service_manager find;
|
||||
allow untrusted_app wifi_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(untrusted_app)
|
||||
auditallow untrusted_app {
|
||||
tmp_system_server_service
|
||||
-accessibility_service
|
||||
-account_service
|
||||
-activity_service
|
||||
-appops_service
|
||||
-appwidget_service
|
||||
-assetatlas_service
|
||||
-audio_service
|
||||
-bluetooth_manager_service
|
||||
-connectivity_service
|
||||
-content_service
|
||||
-device_policy_service
|
||||
-display_service
|
||||
-dropbox_service
|
||||
-input_method_service
|
||||
-input_service
|
||||
-jobscheduler_service
|
||||
-notification_service
|
||||
-persistent_data_block_service
|
||||
-power_service
|
||||
-registry_service
|
||||
-textservices_service
|
||||
-trust_service
|
||||
-user_service
|
||||
-webviewupdate_service
|
||||
-wifi_service
|
||||
}:service_manager find;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
|
|
|
|||
Loading…
Reference in a new issue