Assign app_api_service attribute to services.

Move accessibility, account, appops and activity services into enforcing with app_api_service level of access, with additional grants to mediaserver and isolated app. Bug: 18106000 Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
2015-04-03 14:24:02 -07:00 · 2015-04-03 14:24:02 -07:00 · b075338d0e
commit b075338d0e
parent a0756d60d8
9 changed files with 6 additions and 31 deletions
--- a/bluetooth.te
+++ b/bluetooth.te
@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    tmp_system_server_service
-    -activity_service
-    -appops_service
    -audio_service
    -bluetooth_manager_service
    -connectivity_service
--- a/mediaserver.te
+++ b/mediaserver.te
@ -78,6 +78,8 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 # Connect to tee service.
 allow mediaserver tee:unix_stream_socket connectto;

+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver surfaceflinger_service:service_manager find;
@ -86,8 +88,6 @@ allow mediaserver tmp_system_server_service:service_manager find;
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
    tmp_system_server_service
-    -activity_service
-    -appops_service
    -batterystats_service
    -permission_service
    -power_service
--- a/nfc.te
+++ b/nfc.te
@ -30,9 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
    tmp_system_server_service
-    -accessibility_service
-    -activity_service
-    -appops_service
    -batterystats_service
    -bluetooth_manager_service
    -connectivity_service
--- a/platform_app.te
+++ b/platform_app.te
@ -39,10 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
    -appwidget_service
    -assetatlas_service
    -audio_service
--- a/radio.te
+++ b/radio.te
@ -41,10 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
    tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
    -assetatlas_service
    -bluetooth_manager_service
    -connectivity_service
--- a/service.te
+++ b/service.te
@ -11,11 +11,11 @@ type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;

 # system_server_services broken down
-type accessibility_service, tmp_system_server_service, service_manager_type;
-type account_service, tmp_system_server_service, service_manager_type;
-type activity_service, tmp_system_server_service, service_manager_type;
+type accessibility_service, app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, system_server_service, service_manager_type;
 type alarm_service, tmp_system_server_service, service_manager_type;
-type appops_service, tmp_system_server_service, service_manager_type;
+type appops_service, app_api_service, system_server_service, service_manager_type;
 type appwidget_service, tmp_system_server_service, service_manager_type;
 type assetatlas_service, tmp_system_server_service, service_manager_type;
 type audio_service, tmp_system_server_service, service_manager_type;
--- a/system_app.te
+++ b/system_app.te
@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
    -appwidget_service
    -assetatlas_service
    -audio_service
--- a/system_server.te
+++ b/system_server.te
@ -370,11 +370,7 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
    -alarm_service
-    -appops_service
    -assetatlas_service
    -audio_service
    -backup_service
--- a/untrusted_app.te
+++ b/untrusted_app.te
@ -90,10 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    tmp_system_server_service
-    -accessibility_service
-    -account_service
-    -activity_service
-    -appops_service
    -appwidget_service
    -assetatlas_service
    -audio_service