From 603bc2050959dd353154bf33fa0c2b0612da9c6e Mon Sep 17 00:00:00 2001 From: Riley Spahn Date: Fri, 18 Jul 2014 09:24:13 -0700 Subject: [PATCH] Further refined service_manager auditallow statements. Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0 --- bluetooth.te | 1 + drmserver.te | 6 +++++- dumpstate.te | 15 +++++++++++++++ isolated_app.te | 7 ++++++- nfc.te | 1 + radio.te | 1 + system_app.te | 2 ++ untrusted_app.te | 1 + 8 files changed, 32 insertions(+), 2 deletions(-) diff --git a/bluetooth.te b/bluetooth.te index 8ba56b0e2..56fe17058 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -54,6 +54,7 @@ service_manager_local_audit_domain(bluetooth) auditallow bluetooth { service_manager_type -bluetooth_service + -radio_service -system_server_service }:service_manager find; diff --git a/drmserver.te b/drmserver.te index 12e3ac7c8..14b2f4936 100644 --- a/drmserver.te +++ b/drmserver.te @@ -49,4 +49,8 @@ allow drmserver drmserver_service:service_manager add; # Audited locally. service_manager_local_audit_domain(drmserver) -auditallow drmserver { service_manager_type -drmserver_service }:service_manager find; +auditallow drmserver { + service_manager_type + -drmserver_service + -system_server_service +}:service_manager find; diff --git a/dumpstate.te b/dumpstate.te index 279fd98fb..242cb9326 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -96,3 +96,18 @@ control_logd(dumpstate) # Read network state info files. allow dumpstate net_data_file:dir search; allow dumpstate net_data_file:file r_file_perms; + +service_manager_local_audit_domain(dumpstate) +auditallow dumpstate { + service_manager_type + -drmserver_service + -healthd_service + -inputflinger_service + -keystore_service + -mediaserver_service + -nfc_service + -radio_service + -surfaceflinger_service + -system_app_service + -system_server_service +}:service_manager find; diff --git a/isolated_app.te b/isolated_app.te index 27b0e40c0..5929b2593 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -21,4 +21,9 @@ allow isolated_app app_data_file:file execute; # Audited locally. service_manager_local_audit_domain(isolated_app) -auditallow isolated_app service_manager_type:service_manager find; +auditallow isolated_app { + service_manager_type + -radio_service + -surfaceflinger_service + -system_server_service +}:service_manager find; diff --git a/nfc.te b/nfc.te index c32e9d597..2b851a276 100644 --- a/nfc.te +++ b/nfc.te @@ -21,5 +21,6 @@ service_manager_local_audit_domain(nfc) auditallow nfc { service_manager_type -mediaserver_service + -surfaceflinger_service -system_server_service }:service_manager find; diff --git a/radio.te b/radio.te index 11691cb52..5f45df33c 100644 --- a/radio.te +++ b/radio.te @@ -35,5 +35,6 @@ auditallow radio { service_manager_type -mediaserver_service -radio_service + -surfaceflinger_service -system_server_service }:service_manager find; diff --git a/system_app.te b/system_app.te index 24b135e5d..5a5888f2f 100644 --- a/system_app.te +++ b/system_app.te @@ -69,7 +69,9 @@ control_logd(system_app) service_manager_local_audit_domain(system_app) auditallow system_app { service_manager_type + -keystore_service -nfc_service + -radio_service -surfaceflinger_service -system_server_service }:service_manager find; diff --git a/untrusted_app.te b/untrusted_app.te index ef7f1b5f9..c97b4513b 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -69,6 +69,7 @@ service_manager_local_audit_domain(untrusted_app) auditallow untrusted_app { service_manager_type -drmserver_service + -keystore_service -mediaserver_service -nfc_service -radio_service