Merge "Enforce more specific service access."
This commit is contained in:
commit
7f2bb0c138
13 changed files with 29 additions and 157 deletions
|
@ -42,8 +42,7 @@ attribute port_type;
|
|||
# All types used for property service
|
||||
attribute property_type;
|
||||
|
||||
# All service_manager types formerly given system_server_service type
|
||||
attribute tmp_system_server_service;
|
||||
# All service_manager types created by system_server
|
||||
attribute system_server_service;
|
||||
|
||||
# services which should be available to all but isolated apps
|
||||
|
|
|
@ -53,17 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
|
|||
allow bluetooth mediaserver_service:service_manager find;
|
||||
allow bluetooth radio_service:service_manager find;
|
||||
allow bluetooth surfaceflinger_service:service_manager find;
|
||||
allow bluetooth tmp_system_server_service:service_manager find;
|
||||
allow bluetooth app_api_service:service_manager find;
|
||||
allow bluetooth system_api_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(bluetooth)
|
||||
auditallow bluetooth {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-user_service
|
||||
}:service_manager find;
|
||||
|
||||
# already open bugreport file descriptors may be shared with
|
||||
# the bluetooth process, from a file in
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport-*.
|
||||
|
|
|
@ -166,9 +166,6 @@ allow domain security_file:lnk_file r_file_perms;
|
|||
allow domain asec_public_file:file r_file_perms;
|
||||
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
|
||||
|
||||
# log all access to specified system_server services
|
||||
auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
@ -86,14 +86,8 @@ allow mediaserver mediaserver_service:service_manager { add find };
|
|||
allow mediaserver permission_service:service_manager find;
|
||||
allow mediaserver power_service:service_manager find;
|
||||
allow mediaserver processinfo_service:service_manager find;
|
||||
allow mediaserver scheduling_policy_service:service_manager find;
|
||||
allow mediaserver surfaceflinger_service:service_manager find;
|
||||
allow mediaserver tmp_system_server_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(mediaserver)
|
||||
auditallow mediaserver {
|
||||
tmp_system_server_service
|
||||
-scheduling_policy_service
|
||||
}:service_manager find;
|
||||
|
||||
# /oem access
|
||||
allow mediaserver oemfs:dir search;
|
||||
|
|
10
nfc.te
10
nfc.te
|
@ -23,19 +23,9 @@ allow nfc mediaserver_service:service_manager find;
|
|||
allow nfc nfc_service:service_manager { add find };
|
||||
allow nfc radio_service:service_manager find;
|
||||
allow nfc surfaceflinger_service:service_manager find;
|
||||
allow nfc tmp_system_server_service:service_manager find;
|
||||
allow nfc app_api_service:service_manager find;
|
||||
allow nfc system_api_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(nfc)
|
||||
auditallow nfc {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-trust_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
}:service_manager find;
|
||||
|
||||
# already open bugreport file descriptors may be shared with
|
||||
# the nfc process, from a file in
|
||||
# /data/data/com.android.shell/files/bugreports/bugreport-*.
|
||||
|
|
|
@ -33,23 +33,5 @@ allow platform_app mediaserver_service:service_manager find;
|
|||
allow platform_app persistent_data_block_service:service_manager find;
|
||||
allow platform_app radio_service:service_manager find;
|
||||
allow platform_app surfaceflinger_service:service_manager find;
|
||||
allow platform_app tmp_system_server_service:service_manager find;
|
||||
allow platform_app app_api_service:service_manager find;
|
||||
allow platform_app system_api_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(platform_app)
|
||||
auditallow platform_app {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-search_service
|
||||
-sensorservice_service
|
||||
-statusbar_service
|
||||
-trust_service
|
||||
-uimode_service
|
||||
-usb_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
-wallpaper_service
|
||||
-webviewupdate_service
|
||||
-wifi_service
|
||||
}:service_manager find;
|
||||
|
|
11
radio.te
11
radio.te
|
@ -34,16 +34,5 @@ allow radio drmserver_service:service_manager find;
|
|||
allow radio mediaserver_service:service_manager find;
|
||||
allow radio radio_service:service_manager { add find };
|
||||
allow radio surfaceflinger_service:service_manager find;
|
||||
allow radio tmp_system_server_service:service_manager find;
|
||||
allow radio app_api_service:service_manager find;
|
||||
allow radio system_api_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(radio)
|
||||
auditallow radio {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-trust_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
-wifi_service
|
||||
}:service_manager find;
|
||||
|
|
50
service.te
50
service.te
|
@ -72,31 +72,31 @@ type power_service, app_api_service, system_server_service, service_manager_type
|
|||
type print_service, app_api_service, system_server_service, service_manager_type;
|
||||
type processinfo_service, system_server_service, service_manager_type;
|
||||
type procstats_service, app_api_service, system_server_service, service_manager_type;
|
||||
type restrictions_service, tmp_system_server_service, service_manager_type;
|
||||
type rttmanager_service, tmp_system_server_service, service_manager_type;
|
||||
type registry_service, app_api_service, system_server_service, service_manager_type;
|
||||
type restrictions_service, app_api_service, system_server_service, service_manager_type;
|
||||
type rttmanager_service, app_api_service, system_server_service, service_manager_type;
|
||||
type samplingprofiler_service, system_server_service, service_manager_type;
|
||||
type scheduling_policy_service, tmp_system_server_service, service_manager_type;
|
||||
type search_service, tmp_system_server_service, service_manager_type;
|
||||
type sensorservice_service, tmp_system_server_service, service_manager_type;
|
||||
type serial_service, tmp_system_server_service, service_manager_type;
|
||||
type servicediscovery_service, tmp_system_server_service, service_manager_type;
|
||||
type statusbar_service, tmp_system_server_service, service_manager_type;
|
||||
type task_service, tmp_system_server_service, service_manager_type;
|
||||
type registry_service, tmp_system_server_service, service_manager_type;
|
||||
type textservices_service, tmp_system_server_service, service_manager_type;
|
||||
type telecom_service, tmp_system_server_service, service_manager_type;
|
||||
type trust_service, tmp_system_server_service, service_manager_type;
|
||||
type scheduling_policy_service, system_server_service, service_manager_type;
|
||||
type search_service, app_api_service, system_server_service, service_manager_type;
|
||||
type sensorservice_service, app_api_service, system_server_service, service_manager_type;
|
||||
type serial_service, system_api_service, system_server_service, service_manager_type;
|
||||
type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
|
||||
type statusbar_service, app_api_service, system_server_service, service_manager_type;
|
||||
type task_service, system_server_service, service_manager_type;
|
||||
type textservices_service, app_api_service, system_server_service, service_manager_type;
|
||||
type telecom_service, app_api_service, system_server_service, service_manager_type;
|
||||
type trust_service, system_api_service, system_server_service, service_manager_type;
|
||||
type tv_input_service, app_api_service, system_server_service, service_manager_type;
|
||||
type uimode_service, tmp_system_server_service, service_manager_type;
|
||||
type updatelock_service, tmp_system_server_service, service_manager_type;
|
||||
type usagestats_service, tmp_system_server_service, service_manager_type;
|
||||
type usb_service, tmp_system_server_service, service_manager_type;
|
||||
type user_service, tmp_system_server_service, service_manager_type;
|
||||
type vibrator_service, tmp_system_server_service, service_manager_type;
|
||||
type voiceinteraction_service, tmp_system_server_service, service_manager_type;
|
||||
type wallpaper_service, tmp_system_server_service, service_manager_type;
|
||||
type webviewupdate_service, tmp_system_server_service, service_manager_type;
|
||||
type wifip2p_service, tmp_system_server_service, service_manager_type;
|
||||
type uimode_service, app_api_service, system_server_service, service_manager_type;
|
||||
type updatelock_service, system_api_service, system_server_service, service_manager_type;
|
||||
type usagestats_service, app_api_service, system_server_service, service_manager_type;
|
||||
type usb_service, app_api_service, system_server_service, service_manager_type;
|
||||
type user_service, app_api_service, system_server_service, service_manager_type;
|
||||
type vibrator_service, app_api_service, system_server_service, service_manager_type;
|
||||
type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
|
||||
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
|
||||
type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
|
||||
type wifip2p_service, app_api_service, system_server_service, service_manager_type;
|
||||
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
|
||||
type wifi_service, tmp_system_server_service, service_manager_type;
|
||||
type window_service, tmp_system_server_service, service_manager_type;
|
||||
type wifi_service, app_api_service, system_server_service, service_manager_type;
|
||||
type window_service, system_api_service, system_server_service, service_manager_type;
|
||||
|
|
|
@ -10,10 +10,4 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
|
|||
allow shared_relro shared_relro_file:file create_file_perms;
|
||||
|
||||
# Needs to contact the "webviewupdate" and "activity" services
|
||||
allow shared_relro tmp_system_server_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(shared_relro)
|
||||
auditallow shared_relro {
|
||||
tmp_system_server_service
|
||||
-webviewupdate_service
|
||||
}:service_manager find;
|
||||
allow shared_relro webviewupdate_service:service_manager find;
|
||||
|
|
|
@ -63,13 +63,7 @@ allow surfaceflinger mediaserver_service:service_manager find;
|
|||
allow surfaceflinger permission_service:service_manager find;
|
||||
allow surfaceflinger power_service:service_manager find;
|
||||
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
||||
allow surfaceflinger tmp_system_server_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(surfaceflinger)
|
||||
auditallow surfaceflinger {
|
||||
tmp_system_server_service
|
||||
-window_service
|
||||
}:service_manager find;
|
||||
allow surfaceflinger window_service:service_manager find;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
@ -53,25 +53,9 @@ allow system_app nfc_service:service_manager find;
|
|||
allow system_app radio_service:service_manager find;
|
||||
allow system_app surfaceflinger_service:service_manager find;
|
||||
allow system_app system_app_service:service_manager add;
|
||||
allow system_app tmp_system_server_service:service_manager find;
|
||||
allow system_app app_api_service:service_manager find;
|
||||
allow system_app system_api_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(system_app)
|
||||
auditallow system_app {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-restrictions_service
|
||||
-sensorservice_service
|
||||
-textservices_service
|
||||
-uimode_service
|
||||
-usagestats_service
|
||||
-usb_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
-wifi_service
|
||||
}:service_manager find;
|
||||
|
||||
allow system_app keystore:keystore_key {
|
||||
test
|
||||
get
|
||||
|
|
|
@ -371,27 +371,6 @@ allow system_server nfc_service:service_manager find;
|
|||
allow system_server radio_service:service_manager find;
|
||||
allow system_server system_server_service:service_manager { add find };
|
||||
allow system_server surfaceflinger_service:service_manager find;
|
||||
allow system_server tmp_system_server_service:service_manager { add find };
|
||||
|
||||
service_manager_local_audit_domain(system_server)
|
||||
auditallow system_server {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-sensorservice_service
|
||||
-statusbar_service
|
||||
-textservices_service
|
||||
-trust_service
|
||||
-uimode_service
|
||||
-updatelock_service
|
||||
-usagestats_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
-wallpaper_service
|
||||
-webviewupdate_service
|
||||
-wifi_service
|
||||
-wifip2p_service
|
||||
-window_service
|
||||
}:service_manager find;
|
||||
|
||||
allow system_server keystore:keystore_key {
|
||||
test
|
||||
|
|
|
@ -81,7 +81,6 @@ allow untrusted_app mediaserver_service:service_manager find;
|
|||
allow untrusted_app nfc_service:service_manager find;
|
||||
allow untrusted_app radio_service:service_manager find;
|
||||
allow untrusted_app surfaceflinger_service:service_manager find;
|
||||
allow untrusted_app tmp_system_server_service:service_manager find;
|
||||
allow untrusted_app app_api_service:service_manager find;
|
||||
|
||||
# TODO: remove this once priv-apps are no longer running in untrusted_app
|
||||
|
@ -90,27 +89,6 @@ allow untrusted_app system_api_service:service_manager find;
|
|||
# TODO: remove and replace with specific package that accesses this
|
||||
allow untrusted_app persistent_data_block_service:service_manager find;
|
||||
|
||||
service_manager_local_audit_domain(untrusted_app)
|
||||
auditallow untrusted_app {
|
||||
tmp_system_server_service
|
||||
-registry_service
|
||||
-rttmanager_service
|
||||
-search_service
|
||||
-sensorservice_service
|
||||
-statusbar_service
|
||||
-textservices_service
|
||||
-trust_service
|
||||
-uimode_service
|
||||
-usagestats_service
|
||||
-user_service
|
||||
-vibrator_service
|
||||
-voiceinteraction_service
|
||||
-wallpaper_service
|
||||
-webviewupdate_service
|
||||
-wifi_service
|
||||
-wifip2p_service
|
||||
}:service_manager find;
|
||||
|
||||
# Allow verifier to access staged apks.
|
||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
|
||||
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
|
||||
|
|
Loading…
Reference in a new issue