Further refined service_manager auditallow statements.

Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00 · 2014-07-18 09:24:13 -07:00 · 603bc20509
commit 603bc20509
parent 26d6371c5a
8 changed files with 32 additions and 2 deletions
--- a/bluetooth.te
+++ b/bluetooth.te
@ -54,6 +54,7 @@ service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    service_manager_type
    -bluetooth_service
+    -radio_service
    -system_server_service
 }:service_manager find;

--- a/drmserver.te
+++ b/drmserver.te
@ -49,4 +49,8 @@ allow drmserver drmserver_service:service_manager add;

 # Audited locally.
 service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
+auditallow drmserver {
+    service_manager_type
+    -drmserver_service
+    -system_server_service
+}:service_manager find;
--- a/dumpstate.te
+++ b/dumpstate.te
@ -96,3 +96,18 @@ control_logd(dumpstate)
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+    service_manager_type
+    -drmserver_service
+    -healthd_service
+    -inputflinger_service
+    -keystore_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_app_service
+    -system_server_service
+}:service_manager find;
--- a/isolated_app.te
+++ b/isolated_app.te
@ -21,4 +21,9 @@ allow isolated_app app_data_file:file execute;

 # Audited locally.
 service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
+auditallow isolated_app {
+    service_manager_type
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
--- a/nfc.te
+++ b/nfc.te
@ -21,5 +21,6 @@ service_manager_local_audit_domain(nfc)
 auditallow nfc {
    service_manager_type
    -mediaserver_service
+    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/radio.te
+++ b/radio.te
@ -35,5 +35,6 @@ auditallow radio {
    service_manager_type
    -mediaserver_service
    -radio_service
+    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/system_app.te
+++ b/system_app.te
@ -69,7 +69,9 @@ control_logd(system_app)
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    service_manager_type
+    -keystore_service
    -nfc_service
+    -radio_service
    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/untrusted_app.te
+++ b/untrusted_app.te
@ -69,6 +69,7 @@ service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    service_manager_type
    -drmserver_service
+    -keystore_service
    -mediaserver_service
    -nfc_service
    -radio_service