Merge "Enforce more specific service access."

This commit is contained in:
dcashman 2015-04-09 17:06:00 +00:00 committed by Gerrit Code Review
commit 7f2bb0c138
13 changed files with 29 additions and 157 deletions

View file

@ -42,8 +42,7 @@ attribute port_type;
# All types used for property service
attribute property_type;
# All service_manager types formerly given system_server_service type
attribute tmp_system_server_service;
# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps

View file

@ -53,17 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth surfaceflinger_service:service_manager find;
allow bluetooth tmp_system_server_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
-registry_service
-user_service
}:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.

View file

@ -166,9 +166,6 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
# log all access to specified system_server services
auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
###
### neverallow rules
###

View file

@ -86,14 +86,8 @@ allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
-scheduling_policy_service
}:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;

10
nfc.te
View file

@ -23,19 +23,9 @@ allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
allow nfc tmp_system_server_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
service_manager_local_audit_domain(nfc)
auditallow nfc {
tmp_system_server_service
-registry_service
-trust_service
-user_service
-vibrator_service
}:service_manager find;
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.

View file

@ -33,23 +33,5 @@ allow platform_app mediaserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
-registry_service
-search_service
-sensorservice_service
-statusbar_service
-trust_service
-uimode_service
-usb_service
-user_service
-vibrator_service
-wallpaper_service
-webviewupdate_service
-wifi_service
}:service_manager find;

View file

@ -34,16 +34,5 @@ allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio tmp_system_server_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
-registry_service
-trust_service
-user_service
-vibrator_service
-wifi_service
}:service_manager find;

View file

@ -72,31 +72,31 @@ type power_service, app_api_service, system_server_service, service_manager_type
type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, tmp_system_server_service, service_manager_type;
type rttmanager_service, tmp_system_server_service, service_manager_type;
type registry_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, tmp_system_server_service, service_manager_type;
type search_service, tmp_system_server_service, service_manager_type;
type sensorservice_service, tmp_system_server_service, service_manager_type;
type serial_service, tmp_system_server_service, service_manager_type;
type servicediscovery_service, tmp_system_server_service, service_manager_type;
type statusbar_service, tmp_system_server_service, service_manager_type;
type task_service, tmp_system_server_service, service_manager_type;
type registry_service, tmp_system_server_service, service_manager_type;
type textservices_service, tmp_system_server_service, service_manager_type;
type telecom_service, tmp_system_server_service, service_manager_type;
type trust_service, tmp_system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, system_server_service, service_manager_type;
type trust_service, system_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, tmp_system_server_service, service_manager_type;
type updatelock_service, tmp_system_server_service, service_manager_type;
type usagestats_service, tmp_system_server_service, service_manager_type;
type usb_service, tmp_system_server_service, service_manager_type;
type user_service, tmp_system_server_service, service_manager_type;
type vibrator_service, tmp_system_server_service, service_manager_type;
type voiceinteraction_service, tmp_system_server_service, service_manager_type;
type wallpaper_service, tmp_system_server_service, service_manager_type;
type webviewupdate_service, tmp_system_server_service, service_manager_type;
type wifip2p_service, tmp_system_server_service, service_manager_type;
type uimode_service, app_api_service, system_server_service, service_manager_type;
type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, tmp_system_server_service, service_manager_type;
type window_service, tmp_system_server_service, service_manager_type;
type wifi_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;

View file

@ -10,10 +10,4 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(shared_relro)
auditallow shared_relro {
tmp_system_server_service
-webviewupdate_service
}:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;

View file

@ -63,13 +63,7 @@ allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
tmp_system_server_service
-window_service
}:service_manager find;
allow surfaceflinger window_service:service_manager find;
###
### Neverallow rules

View file

@ -53,25 +53,9 @@ allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app tmp_system_server_service:service_manager find;
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
-registry_service
-restrictions_service
-sensorservice_service
-textservices_service
-uimode_service
-usagestats_service
-usb_service
-user_service
-vibrator_service
-wifi_service
}:service_manager find;
allow system_app keystore:keystore_key {
test
get

View file

@ -371,27 +371,6 @@ allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
allow system_server tmp_system_server_service:service_manager { add find };
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
-registry_service
-sensorservice_service
-statusbar_service
-textservices_service
-trust_service
-uimode_service
-updatelock_service
-usagestats_service
-user_service
-vibrator_service
-wallpaper_service
-webviewupdate_service
-wifi_service
-wifip2p_service
-window_service
}:service_manager find;
allow system_server keystore:keystore_key {
test

View file

@ -81,7 +81,6 @@ allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app tmp_system_server_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
# TODO: remove this once priv-apps are no longer running in untrusted_app
@ -90,27 +89,6 @@ allow untrusted_app system_api_service:service_manager find;
# TODO: remove and replace with specific package that accesses this
allow untrusted_app persistent_data_block_service:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
-registry_service
-rttmanager_service
-search_service
-sensorservice_service
-statusbar_service
-textservices_service
-trust_service
-uimode_service
-usagestats_service
-user_service
-vibrator_service
-voiceinteraction_service
-wallpaper_service
-webviewupdate_service
-wifi_service
-wifip2p_service
}:service_manager find;
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;