diff --git a/attributes b/attributes index d40217aed..3f632ded6 100644 --- a/attributes +++ b/attributes @@ -42,6 +42,9 @@ attribute port_type; # All types used for property service attribute property_type; +# All service_manager types formerly given system_server_service type +attribute tmp_system_server_service; + # All types used for services managed by service_manager. attribute service_manager_type; diff --git a/bluetooth.te b/bluetooth.te index 60ce11858..7c273be91 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -52,6 +52,7 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set; allow bluetooth bluetooth_service:service_manager find; allow bluetooth radio_service:service_manager find; allow bluetooth system_server_service:service_manager find; +allow bluetooth tmp_system_server_service:service_manager find; # already open bugreport file descriptors may be shared with # the bluetooth process, from a file in diff --git a/domain.te b/domain.te index 52920a72d..a184e063b 100644 --- a/domain.te +++ b/domain.te @@ -165,6 +165,9 @@ allow domain security_file:lnk_file r_file_perms; allow domain asec_public_file:file r_file_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; +# log all access to specified system_server services +auditallow { domain -service_manager_local_audit } tmp_system_server_service:service_manager {list find }; + ### ### neverallow rules ### diff --git a/drmserver.te b/drmserver.te index 37edbfe9a..482c2185f 100644 --- a/drmserver.te +++ b/drmserver.te @@ -51,5 +51,6 @@ allow drmserver oemfs:file r_file_perms; allow drmserver drmserver_service:service_manager { add find }; allow drmserver system_server_service:service_manager find; +allow drmserver tmp_system_server_service:service_manager find; selinux_check_access(drmserver) diff --git a/dumpstate.te b/dumpstate.te index b1e746af0..5f65eb053 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -117,6 +117,7 @@ allow dumpstate { surfaceflinger_service system_app_service system_server_service + tmp_system_server_service }:service_manager find; allow dumpstate servicemanager:service_manager list; diff --git a/isolated_app.te b/isolated_app.te index 8c4549293..627d0a0e1 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -24,3 +24,19 @@ neverallow isolated_app gpu_device:file { rw_file_perms execute }; allow isolated_app radio_service:service_manager find; allow isolated_app surfaceflinger_service:service_manager find; allow isolated_app system_server_service:service_manager find; +allow isolated_app tmp_system_server_service:service_manager find; + +# address tmp_system_server_service accesses +allow isolated_app activity_service:service_manager find; +allow isolated_app connectivity_service:service_manager find; +allow isolated_app display_service:service_manager find; +allow isolated_app dropbox_service:service_manager find; + +service_manager_local_audit_domain(isolated_app) +auditallow isolated_app { + tmp_system_server_service + -activity_service + -connectivity_service + -display_service + -dropbox_service +}:service_manager find; diff --git a/mediaserver.te b/mediaserver.te index 54112af2a..ec69aed09 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -82,6 +82,22 @@ allow mediaserver drmserver_service:service_manager find; allow mediaserver mediaserver_service:service_manager { add find }; allow mediaserver system_server_service:service_manager find; allow mediaserver surfaceflinger_service:service_manager find; +allow mediaserver tmp_system_server_service:service_manager find; + +# address tmp_system_server_service accesses +allow mediaserver batterystats_service:service_manager find; +allow mediaserver permission_service:service_manager find; +allow mediaserver power_service:service_manager find; +allow mediaserver scheduling_policy_service:service_manager find; + +service_manager_local_audit_domain(mediaserver) +auditallow mediaserver { + tmp_system_server_service + -batterystats_service + -permission_service + -power_service + -scheduling_policy_service +}:service_manager find; # /oem access allow mediaserver oemfs:dir search; diff --git a/nfc.te b/nfc.te index 0d1f613b0..709e5b949 100644 --- a/nfc.te +++ b/nfc.te @@ -23,3 +23,4 @@ allow nfc mediaserver_service:service_manager find; allow nfc nfc_service:service_manager add; allow nfc surfaceflinger_service:service_manager find; allow nfc system_server_service:service_manager find; +allow nfc tmp_system_server_service:service_manager find; diff --git a/platform_app.te b/platform_app.te index 9b9b0db48..3f01769eb 100644 --- a/platform_app.te +++ b/platform_app.te @@ -33,3 +33,15 @@ allow platform_app mediaserver_service:service_manager find; allow platform_app radio_service:service_manager find; allow platform_app surfaceflinger_service:service_manager find; allow platform_app system_server_service:service_manager find; +allow platform_app tmp_system_server_service:service_manager find; + +# address tmp_system_server_service accesses +allow platform_app input_service:service_manager find; +allow platform_app lock_settings_service:service_manager find; + +service_manager_local_audit_domain(platform_app) +auditallow platform_app { + tmp_system_server_service + -input_service + -lock_settings_service +}:service_manager find; \ No newline at end of file diff --git a/radio.te b/radio.te index 9282055f2..d369949db 100644 --- a/radio.te +++ b/radio.te @@ -34,3 +34,4 @@ allow radio mediaserver_service:service_manager find; allow radio radio_service:service_manager { add find }; allow radio surfaceflinger_service:service_manager find; allow radio system_server_service:service_manager find; +allow radio tmp_system_server_service:service_manager find; diff --git a/service.te b/service.te index ca461f170..1a13927d0 100644 --- a/service.te +++ b/service.te @@ -9,4 +9,92 @@ type nfc_service, service_manager_type; type radio_service, service_manager_type; type surfaceflinger_service, service_manager_type; type system_app_service, service_manager_type; + type system_server_service, service_manager_type; + +# system_server_services broken down +type accessibility_service, tmp_system_server_service, service_manager_type; +type account_service, tmp_system_server_service, service_manager_type; +type activity_service, tmp_system_server_service, service_manager_type; +type alarm_service, tmp_system_server_service, service_manager_type; +type appops_service, tmp_system_server_service, service_manager_type; +type appwidget_service, tmp_system_server_service, service_manager_type; +type assetatlas_service, tmp_system_server_service, service_manager_type; +type audio_service, tmp_system_server_service, service_manager_type; +type backup_service, tmp_system_server_service, service_manager_type; +type batterystats_service, tmp_system_server_service, service_manager_type; +type battery_service, tmp_system_server_service, service_manager_type; +type bluetooth_manager_service, tmp_system_server_service, service_manager_type; +type clipboard_service, tmp_system_server_service, service_manager_type; +type IMms_service, tmp_system_server_service, service_manager_type; +type IProxyService_service, tmp_system_server_service, service_manager_type; +type commontime_management_service, tmp_system_server_service, service_manager_type; +type connectivity_service, tmp_system_server_service, service_manager_type; +type consumer_ir_service, tmp_system_server_service, service_manager_type; +type content_service, tmp_system_server_service, service_manager_type; +type country_detector_service, tmp_system_server_service, service_manager_type; +type cpuinfo_service, tmp_system_server_service, service_manager_type; +type dbinfo_service, tmp_system_server_service, service_manager_type; +type device_policy_service, tmp_system_server_service, service_manager_type; +type devicestoragemonitor_service, tmp_system_server_service, service_manager_type; +type diskstats_service, tmp_system_server_service, service_manager_type; +type display_service, tmp_system_server_service, service_manager_type; +type DockObserver_service, tmp_system_server_service, service_manager_type; +type dreams_service, tmp_system_server_service, service_manager_type; +type dropbox_service, tmp_system_server_service, service_manager_type; +type ethernet_service, tmp_system_server_service, service_manager_type; +type fingerprint_service, tmp_system_server_service, service_manager_type; +type gfxinfo_service, tmp_system_server_service, service_manager_type; +type hardware_service, tmp_system_server_service, service_manager_type; +type hdmi_control_service, tmp_system_server_service, service_manager_type; +type input_method_service, tmp_system_server_service, service_manager_type; +type input_service, tmp_system_server_service, service_manager_type; +type imms_service, tmp_system_server_service, service_manager_type; +type jobscheduler_service, tmp_system_server_service, service_manager_type; +type launcherapps_service, tmp_system_server_service, service_manager_type; +type location_service, tmp_system_server_service, service_manager_type; +type lock_settings_service, tmp_system_server_service, service_manager_type; +type media_projection_service, tmp_system_server_service, service_manager_type; +type media_router_service, tmp_system_server_service, service_manager_type; +type media_session_service, tmp_system_server_service, service_manager_type; +type meminfo_service, tmp_system_server_service, service_manager_type; +type midi_service, tmp_system_server_service, service_manager_type; +type mount_service, tmp_system_server_service, service_manager_type; +type netpolicy_service, tmp_system_server_service, service_manager_type; +type netstats_service, tmp_system_server_service, service_manager_type; +type network_management_service, tmp_system_server_service, service_manager_type; +type network_score_service, tmp_system_server_service, service_manager_type; +type notification_service, tmp_system_server_service, service_manager_type; +type package_service, tmp_system_server_service, service_manager_type; +type permission_service, tmp_system_server_service, service_manager_type; +type persistent_data_block_service, tmp_system_server_service, service_manager_type; +type power_service, tmp_system_server_service, service_manager_type; +type print_service, tmp_system_server_service, service_manager_type; +type procstats_service, tmp_system_server_service, service_manager_type; +type restrictions_service, tmp_system_server_service, service_manager_type; +type rttmanager_service, tmp_system_server_service, service_manager_type; +type samplingprofiler_service, tmp_system_server_service, service_manager_type; +type scheduling_policy_service, tmp_system_server_service, service_manager_type; +type search_service, tmp_system_server_service, service_manager_type; +type sensorservice_service, tmp_system_server_service, service_manager_type; +type serial_service, tmp_system_server_service, service_manager_type; +type servicediscovery_service, tmp_system_server_service, service_manager_type; +type statusbar_service, tmp_system_server_service, service_manager_type; +type task_service, tmp_system_server_service, service_manager_type; +type registry_service, tmp_system_server_service, service_manager_type; +type textservices_service, tmp_system_server_service, service_manager_type; +type trust_service, tmp_system_server_service, service_manager_type; +type tv_input_service, tmp_system_server_service, service_manager_type; +type uimode_service, tmp_system_server_service, service_manager_type; +type updatelock_service, tmp_system_server_service, service_manager_type; +type usagestats_service, tmp_system_server_service, service_manager_type; +type usb_service, tmp_system_server_service, service_manager_type; +type user_service, tmp_system_server_service, service_manager_type; +type vibrator_service, tmp_system_server_service, service_manager_type; +type voiceinteraction_service, tmp_system_server_service, service_manager_type; +type wallpaper_service, tmp_system_server_service, service_manager_type; +type webviewupdate_service, tmp_system_server_service, service_manager_type; +type wifip2p_service, tmp_system_server_service, service_manager_type; +type wifiscanner_service, tmp_system_server_service, service_manager_type; +type wifi_service, tmp_system_server_service, service_manager_type; +type window_service, tmp_system_server_service, service_manager_type; diff --git a/service_contexts b/service_contexts index 08bf3fea2..5dfa199a4 100644 --- a/service_contexts +++ b/service_contexts @@ -1,123 +1,123 @@ -accessibility u:object_r:system_server_service:s0 -account u:object_r:system_server_service:s0 -activity u:object_r:system_server_service:s0 -alarm u:object_r:system_server_service:s0 +accessibility u:object_r:accessibility_service:s0 +account u:object_r:account_service:s0 +activity u:object_r:activity_service:s0 +alarm u:object_r:alarm_service:s0 android.security.keystore u:object_r:keystore_service:s0 -appops u:object_r:system_server_service:s0 -appwidget u:object_r:system_server_service:s0 -assetatlas u:object_r:system_server_service:s0 -audio u:object_r:system_server_service:s0 -backup u:object_r:system_server_service:s0 +appops u:object_r:appops_service:s0 +appwidget u:object_r:appwidget_service:s0 +assetatlas u:object_r:assetatlas_service:s0 +audio u:object_r:audio_service:s0 +backup u:object_r:backup_service:s0 batteryproperties u:object_r:healthd_service:s0 batterypropreg u:object_r:healthd_service:s0 -batterystats u:object_r:system_server_service:s0 -battery u:object_r:system_server_service:s0 -bluetooth_manager u:object_r:system_server_service:s0 +batterystats u:object_r:batterystats_service:s0 +battery u:object_r:battery_service:s0 +bluetooth_manager u:object_r:bluetooth_manager_service:s0 bluetooth u:object_r:bluetooth_service:s0 -clipboard u:object_r:system_server_service:s0 -com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0 -com.android.net.IProxyService u:object_r:system_server_service:s0 -commontime_management u:object_r:system_server_service:s0 +clipboard u:object_r:clipboard_service:s0 +com.android.internal.telephony.mms.IMms u:object_r:IMms_service:s0 +com.android.net.IProxyService u:object_r:IProxyService_service:s0 +commontime_management u:object_r:commontime_management_service:s0 common_time.clock u:object_r:mediaserver_service:s0 common_time.config u:object_r:mediaserver_service:s0 -connectivity u:object_r:system_server_service:s0 -consumer_ir u:object_r:system_server_service:s0 -content u:object_r:system_server_service:s0 -country_detector u:object_r:system_server_service:s0 -cpuinfo u:object_r:system_server_service:s0 -dbinfo u:object_r:system_server_service:s0 -device_policy u:object_r:system_server_service:s0 -devicestoragemonitor u:object_r:system_server_service:s0 -diskstats u:object_r:system_server_service:s0 +connectivity u:object_r:connectivity_service:s0 +consumer_ir u:object_r:consumer_ir_service:s0 +content u:object_r:content_service:s0 +country_detector u:object_r:country_detector_service:s0 +cpuinfo u:object_r:cpuinfo_service:s0 +dbinfo u:object_r:dbinfo_service:s0 +device_policy u:object_r:device_policy_service:s0 +devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 +diskstats u:object_r:diskstats_service:s0 display.qservice u:object_r:surfaceflinger_service:s0 -display u:object_r:system_server_service:s0 -DockObserver u:object_r:system_server_service:s0 -dreams u:object_r:system_server_service:s0 +display u:object_r:display_service:s0 +DockObserver u:object_r:DockObserver_service:s0 +dreams u:object_r:dreams_service:s0 drm.drmManager u:object_r:drmserver_service:s0 -dropbox u:object_r:system_server_service:s0 -ethernet u:object_r:system_server_service:s0 -fingerprint u:object_r:system_server_service:s0 -gfxinfo u:object_r:system_server_service:s0 -hardware u:object_r:system_server_service:s0 -hdmi_control u:object_r:system_server_service:s0 +dropbox u:object_r:dropbox_service:s0 +ethernet u:object_r:ethernet_service:s0 +fingerprint u:object_r:fingerprint_service:s0 +gfxinfo u:object_r:gfxinfo_service:s0 +hardware u:object_r:hardware_service:s0 +hdmi_control u:object_r:hdmi_control_service:s0 inputflinger u:object_r:inputflinger_service:s0 -input_method u:object_r:system_server_service:s0 -input u:object_r:system_server_service:s0 +input_method u:object_r:input_method_service:s0 +input u:object_r:input_service:s0 iphonesubinfo_msim u:object_r:radio_service:s0 iphonesubinfo2 u:object_r:radio_service:s0 iphonesubinfo u:object_r:radio_service:s0 ims u:object_r:radio_service:s0 -imms u:object_r:system_server_service:s0 +imms u:object_r:imms_service:s0 isms_msim u:object_r:radio_service:s0 isms2 u:object_r:radio_service:s0 isms u:object_r:radio_service:s0 isub u:object_r:radio_service:s0 -jobscheduler u:object_r:system_server_service:s0 -launcherapps u:object_r:system_server_service:s0 -location u:object_r:system_server_service:s0 -lock_settings u:object_r:system_server_service:s0 +jobscheduler u:object_r:jobscheduler_service:s0 +launcherapps u:object_r:launcherapps_service:s0 +location u:object_r:location_service:s0 +lock_settings u:object_r:lock_settings_service:s0 media.audio_flinger u:object_r:mediaserver_service:s0 media.audio_policy u:object_r:mediaserver_service:s0 media.camera u:object_r:mediaserver_service:s0 media.log u:object_r:mediaserver_service:s0 media.player u:object_r:mediaserver_service:s0 media.sound_trigger_hw u:object_r:mediaserver_service:s0 -media_projection u:object_r:system_server_service:s0 -media_router u:object_r:system_server_service:s0 -media_session u:object_r:system_server_service:s0 -meminfo u:object_r:system_server_service:s0 -mount u:object_r:system_server_service:s0 -netpolicy u:object_r:system_server_service:s0 -netstats u:object_r:system_server_service:s0 -network_management u:object_r:system_server_service:s0 -network_score u:object_r:system_server_service:s0 +media_projection u:object_r:media_projection_service:s0 +media_router u:object_r:media_router_service:s0 +media_session u:object_r:media_session_service:s0 +meminfo u:object_r:meminfo_service:s0 +midi u:object_r:midi_service:s0 +mount u:object_r:mount_service:s0 +netpolicy u:object_r:netpolicy_service:s0 +netstats u:object_r:netstats_service:s0 +network_management u:object_r:network_management_service:s0 +network_score u:object_r:network_score_service:s0 nfc u:object_r:nfc_service:s0 -notification u:object_r:system_server_service:s0 -package u:object_r:system_server_service:s0 -permission u:object_r:system_server_service:s0 -persistent_data_block u:object_r:system_server_service:s0 +notification u:object_r:notification_service:s0 +package u:object_r:package_service:s0 +permission u:object_r:permission_service:s0 +persistent_data_block u:object_r:persistent_data_block_service:s0 phone_msim u:object_r:radio_service:s0 phone1 u:object_r:radio_service:s0 phone2 u:object_r:radio_service:s0 phone u:object_r:radio_service:s0 -power u:object_r:system_server_service:s0 -print u:object_r:system_server_service:s0 -procstats u:object_r:system_server_service:s0 +power u:object_r:power_service:s0 +print u:object_r:print_service:s0 +procstats u:object_r:procstats_service:s0 radio.phonesubinfo u:object_r:radio_service:s0 radio.phone u:object_r:radio_service:s0 radio.sms u:object_r:radio_service:s0 -restrictions u:object_r:system_server_service:s0 -rttmanager u:object_r:system_server_service:s0 -samplingprofiler u:object_r:system_server_service:s0 -scheduling_policy u:object_r:system_server_service:s0 -search u:object_r:system_server_service:s0 -sensorservice u:object_r:system_server_service:s0 -serial u:object_r:system_server_service:s0 -servicediscovery u:object_r:system_server_service:s0 +restrictions u:object_r:restrictions_service:s0 +rttmanager u:object_r:rttmanager_service:s0 +samplingprofiler u:object_r:samplingprofiler_service:s0 +scheduling_policy u:object_r:scheduling_policy_service:s0 +search u:object_r:search_service:s0 +sensorservice u:object_r:sensorservice_service:s0 +serial u:object_r:serial_service:s0 +servicediscovery u:object_r:servicediscovery_service:s0 simphonebook_msim u:object_r:radio_service:s0 simphonebook2 u:object_r:radio_service:s0 simphonebook u:object_r:radio_service:s0 sip u:object_r:radio_service:s0 -statusbar u:object_r:system_server_service:s0 +statusbar u:object_r:statusbar_service:s0 SurfaceFlinger u:object_r:surfaceflinger_service:s0 -task u:object_r:system_server_service:s0 +task u:object_r:task_service:s0 telecom u:object_r:radio_service:s0 -telephony.registry u:object_r:system_server_service:s0 -textservices u:object_r:system_server_service:s0 -trust u:object_r:system_server_service:s0 -tv_input u:object_r:system_server_service:s0 -uimode u:object_r:system_server_service:s0 -updatelock u:object_r:system_server_service:s0 -usagestats u:object_r:system_server_service:s0 -usb u:object_r:system_server_service:s0 -user u:object_r:system_server_service:s0 -vibrator u:object_r:system_server_service:s0 -voiceinteraction u:object_r:system_server_service:s0 -wallpaper u:object_r:system_server_service:s0 -webviewupdate u:object_r:system_server_service:s0 -wifip2p u:object_r:system_server_service:s0 -wifiscanner u:object_r:system_server_service:s0 -wifi u:object_r:system_server_service:s0 -window u:object_r:system_server_service:s0 - +telephony.registry u:object_r:registry_service:s0 +textservices u:object_r:textservices_service:s0 +trust u:object_r:trust_service:s0 +tv_input u:object_r:tv_input_service:s0 +uimode u:object_r:uimode_service:s0 +updatelock u:object_r:updatelock_service:s0 +usagestats u:object_r:usagestats_service:s0 +usb u:object_r:usb_service:s0 +user u:object_r:user_service:s0 +vibrator u:object_r:vibrator_service:s0 +voiceinteraction u:object_r:voiceinteraction_service:s0 +wallpaper u:object_r:wallpaper_service:s0 +webviewupdate u:object_r:webviewupdate_service:s0 +wifip2p u:object_r:wifip2p_service:s0 +wifiscanner u:object_r:wifiscanner_service:s0 +wifi u:object_r:wifi_service:s0 +window u:object_r:window_service:s0 * u:object_r:default_android_service:s0 diff --git a/shared_relro.te b/shared_relro.te index 8ad53d344..c4443824c 100644 --- a/shared_relro.te +++ b/shared_relro.te @@ -11,3 +11,4 @@ allow shared_relro shared_relro_file:file create_file_perms; # Needs to contact the "webviewupdate" and "activity" services allow shared_relro system_server_service:service_manager find; +allow shared_relro tmp_system_server_service:service_manager find; diff --git a/shell.te b/shell.te index a69d47561..af4ce0c29 100644 --- a/shell.te +++ b/shell.te @@ -48,6 +48,7 @@ allow shell debug_prop:property_service set; allow shell powerctl_prop:property_service set; allow shell system_server_service:service_manager find; +allow shell tmp_system_server_service:service_manager find; # systrace support - allow atrace to run # debugfs doesn't support labeling individual files, so we have diff --git a/surfaceflinger.te b/surfaceflinger.te index 02cb43310..f0eeec3c8 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -62,6 +62,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms; allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger surfaceflinger_service:service_manager { add find }; allow surfaceflinger system_server_service:service_manager find; +allow surfaceflinger tmp_system_server_service:service_manager find; ### ### Neverallow rules diff --git a/system_app.te b/system_app.te index 8f70185bb..a445e574d 100644 --- a/system_app.te +++ b/system_app.te @@ -55,6 +55,7 @@ allow system_app radio_service:service_manager find; allow system_app surfaceflinger_service:service_manager find; allow system_app system_app_service:service_manager add; allow system_app system_server_service:service_manager find; +allow system_app tmp_system_server_service:service_manager find; allow system_app keystore:keystore_key { test diff --git a/system_server.te b/system_server.te index 9dc1e90c8..6199eb731 100644 --- a/system_server.te +++ b/system_server.te @@ -370,6 +370,7 @@ allow system_server mediaserver_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server system_server_service:service_manager { add find }; allow system_server surfaceflinger_service:service_manager find; +allow system_server tmp_system_server_service:service_manager { add find }; # TODO: Remove. Make up for previously lacking auditing. allow system_server service_manager_type:service_manager find; @@ -383,6 +384,17 @@ auditallow system_server { -surfaceflinger_service }:service_manager find; +# address tmp_system_server_service accesses +allow system_server dreams_service:service_manager find; +allow system_server mount_service:service_manager find; + +service_manager_local_audit_domain(system_server) +auditallow system_server { + tmp_system_server_service + -dreams_service + -mount_service +}:service_manager find; + allow system_server keystore:keystore_key { test get diff --git a/te_macros b/te_macros index b665f3ff0..1efe15f41 100644 --- a/te_macros +++ b/te_macros @@ -109,7 +109,6 @@ typeattribute $1 appdomain; tmpfs_domain($1) # Map with PROT_EXEC. allow $1 $1_tmpfs:file execute; -service_manager_local_audit_domain($1) ') ##################################### diff --git a/untrusted_app.te b/untrusted_app.te index e55807601..40dc8cb78 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -70,6 +70,65 @@ allow untrusted_app nfc_service:service_manager find; allow untrusted_app radio_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find; allow untrusted_app system_server_service:service_manager find; +allow untrusted_app tmp_system_server_service:service_manager find; + +# address tmp_system_server_service accesses +service_manager_local_audit_domain(untrusted_app) +allow untrusted_app accessibility_service:service_manager find; +allow untrusted_app account_service:service_manager find; +allow untrusted_app activity_service:service_manager find; +allow untrusted_app appops_service:service_manager find; +allow untrusted_app appwidget_service:service_manager find; +allow untrusted_app assetatlas_service:service_manager find; +allow untrusted_app audio_service:service_manager find; +allow untrusted_app bluetooth_manager_service:service_manager find; +allow untrusted_app connectivity_service:service_manager find; +allow untrusted_app content_service:service_manager find; +allow untrusted_app device_policy_service:service_manager find; +allow untrusted_app display_service:service_manager find; +allow untrusted_app dropbox_service:service_manager find; +allow untrusted_app input_method_service:service_manager find; +allow untrusted_app input_service:service_manager find; +allow untrusted_app jobscheduler_service:service_manager find; +allow untrusted_app notification_service:service_manager find; +allow untrusted_app persistent_data_block_service:service_manager find; +allow untrusted_app power_service:service_manager find; +allow untrusted_app registry_service:service_manager find; +allow untrusted_app textservices_service:service_manager find; +allow untrusted_app trust_service:service_manager find; +allow untrusted_app user_service:service_manager find; +allow untrusted_app webviewupdate_service:service_manager find; +allow untrusted_app wifi_service:service_manager find; + +service_manager_local_audit_domain(untrusted_app) +auditallow untrusted_app { + tmp_system_server_service + -accessibility_service + -account_service + -activity_service + -appops_service + -appwidget_service + -assetatlas_service + -audio_service + -bluetooth_manager_service + -connectivity_service + -content_service + -device_policy_service + -display_service + -dropbox_service + -input_method_service + -input_service + -jobscheduler_service + -notification_service + -persistent_data_block_service + -power_service + -registry_service + -textservices_service + -trust_service + -user_service + -webviewupdate_service + -wifi_service +}:service_manager find; ### ### neverallow rules