Merge "More neverallows for default_android_service."

2020-01-21 21:31:57 +00:00 · 2020-01-21 21:31:57 +00:00 · 64c8ddb123
commit 64c8ddb123
parent c9cc4001e4 a30464c06e
6 changed files with 8 additions and 3 deletions
--- a/private/atrace.te
+++ b/private/atrace.te
@ -37,6 +37,7 @@ allow atrace {
  -installd_service
  -vold_service
  -lpdump_service
+  -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;

--- a/private/system_app.te
+++ b/private/system_app.te
@ -93,6 +93,7 @@ allow system_app {
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services system_app should not be accessing.
 dontaudit system_app {
--- a/public/domain.te
+++ b/public/domain.te
@ -500,9 +500,9 @@ neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmou
 # system_app_service rather than the generic type.
 # New service_types are defined in {,hw,vnd}service.te and new mappings
 # from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager add;
-neverallow * default_android_vndservice:service_manager { add find };
-neverallow * default_android_hwservice:hwservice_manager { add find };
+neverallow * default_android_service:service_manager *;
+neverallow * default_android_vndservice:service_manager *;
+neverallow * default_android_hwservice:hwservice_manager *;

 # Looking up the base class/interface of all HwBinder services is a bad idea.
 # hwservicemanager currently offer such lookups only to make it so that security
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -230,6 +230,7 @@ allow dumpstate {
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 # suppress denials for services dumpstate should not be accessing.
 dontaudit dumpstate {
--- a/public/shell.te
+++ b/public/shell.te
@ -127,6 +127,7 @@ allow shell {
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
+  -default_android_service
 }:service_manager find;
 allow shell dumpstate:binder call;

--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@ -21,6 +21,7 @@ allow traceur_app {
  -virtual_touchpad_service
  -vold_service
  -vr_hwc_service
+  -default_android_service
 }:service_manager find;

 # Allow traceur_app to use atrace HAL