From bd7f5803f924b0ca318c1d426b683c3f658754f9 Mon Sep 17 00:00:00 2001 From: dcashman Date: Wed, 8 Apr 2015 15:12:24 -0700 Subject: [PATCH] Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0 --- attributes | 3 +-- bluetooth.te | 8 -------- domain.te | 3 --- mediaserver.te | 8 +------- nfc.te | 10 ---------- platform_app.te | 18 ----------------- radio.te | 11 ----------- service.te | 50 +++++++++++++++++++++++------------------------ shared_relro.te | 8 +------- surfaceflinger.te | 8 +------- system_app.te | 16 --------------- system_server.te | 21 -------------------- untrusted_app.te | 22 --------------------- 13 files changed, 29 insertions(+), 157 deletions(-) diff --git a/attributes b/attributes index f35c83fec..a9b211fd0 100644 --- a/attributes +++ b/attributes @@ -42,8 +42,7 @@ attribute port_type; # All types used for property service attribute property_type; -# All service_manager types formerly given system_server_service type -attribute tmp_system_server_service; +# All service_manager types created by system_server attribute system_server_service; # services which should be available to all but isolated apps diff --git a/bluetooth.te b/bluetooth.te index bc2acef7f..890c1d98b 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -53,17 +53,9 @@ allow bluetooth bluetooth_service:service_manager find; allow bluetooth mediaserver_service:service_manager find; allow bluetooth radio_service:service_manager find; allow bluetooth surfaceflinger_service:service_manager find; -allow bluetooth tmp_system_server_service:service_manager find; allow bluetooth app_api_service:service_manager find; allow bluetooth system_api_service:service_manager find; -service_manager_local_audit_domain(bluetooth) -auditallow bluetooth { - tmp_system_server_service - -registry_service - -user_service -}:service_manager find; - # already open bugreport file descriptors may be shared with # the bluetooth process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. diff --git a/domain.te b/domain.te index 5a3d3c93c..87ec2ee66 100644 --- a/domain.te +++ b/domain.te @@ -166,9 +166,6 @@ allow domain security_file:lnk_file r_file_perms; allow domain asec_public_file:file r_file_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; -# log all access to specified system_server services -auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find }; - ### ### neverallow rules ### diff --git a/mediaserver.te b/mediaserver.te index 64971015d..d26909730 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -86,14 +86,8 @@ allow mediaserver mediaserver_service:service_manager { add find }; allow mediaserver permission_service:service_manager find; allow mediaserver power_service:service_manager find; allow mediaserver processinfo_service:service_manager find; +allow mediaserver scheduling_policy_service:service_manager find; allow mediaserver surfaceflinger_service:service_manager find; -allow mediaserver tmp_system_server_service:service_manager find; - -service_manager_local_audit_domain(mediaserver) -auditallow mediaserver { - tmp_system_server_service - -scheduling_policy_service -}:service_manager find; # /oem access allow mediaserver oemfs:dir search; diff --git a/nfc.te b/nfc.te index e4a4ccb56..8528b4f71 100644 --- a/nfc.te +++ b/nfc.te @@ -23,19 +23,9 @@ allow nfc mediaserver_service:service_manager find; allow nfc nfc_service:service_manager { add find }; allow nfc radio_service:service_manager find; allow nfc surfaceflinger_service:service_manager find; -allow nfc tmp_system_server_service:service_manager find; allow nfc app_api_service:service_manager find; allow nfc system_api_service:service_manager find; -service_manager_local_audit_domain(nfc) -auditallow nfc { - tmp_system_server_service - -registry_service - -trust_service - -user_service - -vibrator_service -}:service_manager find; - # already open bugreport file descriptors may be shared with # the nfc process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. diff --git a/platform_app.te b/platform_app.te index 2943e6ce6..c152f47a6 100644 --- a/platform_app.te +++ b/platform_app.te @@ -33,23 +33,5 @@ allow platform_app mediaserver_service:service_manager find; allow platform_app persistent_data_block_service:service_manager find; allow platform_app radio_service:service_manager find; allow platform_app surfaceflinger_service:service_manager find; -allow platform_app tmp_system_server_service:service_manager find; allow platform_app app_api_service:service_manager find; allow platform_app system_api_service:service_manager find; - -service_manager_local_audit_domain(platform_app) -auditallow platform_app { - tmp_system_server_service - -registry_service - -search_service - -sensorservice_service - -statusbar_service - -trust_service - -uimode_service - -usb_service - -user_service - -vibrator_service - -wallpaper_service - -webviewupdate_service - -wifi_service -}:service_manager find; diff --git a/radio.te b/radio.te index 469f1d959..92f18d22b 100644 --- a/radio.te +++ b/radio.te @@ -34,16 +34,5 @@ allow radio drmserver_service:service_manager find; allow radio mediaserver_service:service_manager find; allow radio radio_service:service_manager { add find }; allow radio surfaceflinger_service:service_manager find; -allow radio tmp_system_server_service:service_manager find; allow radio app_api_service:service_manager find; allow radio system_api_service:service_manager find; - -service_manager_local_audit_domain(radio) -auditallow radio { - tmp_system_server_service - -registry_service - -trust_service - -user_service - -vibrator_service - -wifi_service -}:service_manager find; diff --git a/service.te b/service.te index fa4d56e72..be22933f9 100644 --- a/service.te +++ b/service.te @@ -72,31 +72,31 @@ type power_service, app_api_service, system_server_service, service_manager_type type print_service, app_api_service, system_server_service, service_manager_type; type processinfo_service, system_server_service, service_manager_type; type procstats_service, app_api_service, system_server_service, service_manager_type; -type restrictions_service, tmp_system_server_service, service_manager_type; -type rttmanager_service, tmp_system_server_service, service_manager_type; +type registry_service, app_api_service, system_server_service, service_manager_type; +type restrictions_service, app_api_service, system_server_service, service_manager_type; +type rttmanager_service, app_api_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; -type scheduling_policy_service, tmp_system_server_service, service_manager_type; -type search_service, tmp_system_server_service, service_manager_type; -type sensorservice_service, tmp_system_server_service, service_manager_type; -type serial_service, tmp_system_server_service, service_manager_type; -type servicediscovery_service, tmp_system_server_service, service_manager_type; -type statusbar_service, tmp_system_server_service, service_manager_type; -type task_service, tmp_system_server_service, service_manager_type; -type registry_service, tmp_system_server_service, service_manager_type; -type textservices_service, tmp_system_server_service, service_manager_type; -type telecom_service, tmp_system_server_service, service_manager_type; -type trust_service, tmp_system_server_service, service_manager_type; +type scheduling_policy_service, system_server_service, service_manager_type; +type search_service, app_api_service, system_server_service, service_manager_type; +type sensorservice_service, app_api_service, system_server_service, service_manager_type; +type serial_service, system_api_service, system_server_service, service_manager_type; +type servicediscovery_service, app_api_service, system_server_service, service_manager_type; +type statusbar_service, app_api_service, system_server_service, service_manager_type; +type task_service, system_server_service, service_manager_type; +type textservices_service, app_api_service, system_server_service, service_manager_type; +type telecom_service, app_api_service, system_server_service, service_manager_type; +type trust_service, system_api_service, system_server_service, service_manager_type; type tv_input_service, app_api_service, system_server_service, service_manager_type; -type uimode_service, tmp_system_server_service, service_manager_type; -type updatelock_service, tmp_system_server_service, service_manager_type; -type usagestats_service, tmp_system_server_service, service_manager_type; -type usb_service, tmp_system_server_service, service_manager_type; -type user_service, tmp_system_server_service, service_manager_type; -type vibrator_service, tmp_system_server_service, service_manager_type; -type voiceinteraction_service, tmp_system_server_service, service_manager_type; -type wallpaper_service, tmp_system_server_service, service_manager_type; -type webviewupdate_service, tmp_system_server_service, service_manager_type; -type wifip2p_service, tmp_system_server_service, service_manager_type; +type uimode_service, app_api_service, system_server_service, service_manager_type; +type updatelock_service, system_api_service, system_server_service, service_manager_type; +type usagestats_service, app_api_service, system_server_service, service_manager_type; +type usb_service, app_api_service, system_server_service, service_manager_type; +type user_service, app_api_service, system_server_service, service_manager_type; +type vibrator_service, app_api_service, system_server_service, service_manager_type; +type voiceinteraction_service, app_api_service, system_server_service, service_manager_type; +type wallpaper_service, app_api_service, system_server_service, service_manager_type; +type webviewupdate_service, system_api_service, system_server_service, service_manager_type; +type wifip2p_service, app_api_service, system_server_service, service_manager_type; type wifiscanner_service, system_api_service, system_server_service, service_manager_type; -type wifi_service, tmp_system_server_service, service_manager_type; -type window_service, tmp_system_server_service, service_manager_type; +type wifi_service, app_api_service, system_server_service, service_manager_type; +type window_service, system_api_service, system_server_service, service_manager_type; diff --git a/shared_relro.te b/shared_relro.te index c97ab5ca1..6a1dfd424 100644 --- a/shared_relro.te +++ b/shared_relro.te @@ -10,10 +10,4 @@ allow shared_relro shared_relro_file:dir rw_dir_perms; allow shared_relro shared_relro_file:file create_file_perms; # Needs to contact the "webviewupdate" and "activity" services -allow shared_relro tmp_system_server_service:service_manager find; - -service_manager_local_audit_domain(shared_relro) -auditallow shared_relro { - tmp_system_server_service - -webviewupdate_service -}:service_manager find; +allow shared_relro webviewupdate_service:service_manager find; diff --git a/surfaceflinger.te b/surfaceflinger.te index c83caf2a6..c85df828c 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -63,13 +63,7 @@ allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger permission_service:service_manager find; allow surfaceflinger power_service:service_manager find; allow surfaceflinger surfaceflinger_service:service_manager { add find }; -allow surfaceflinger tmp_system_server_service:service_manager find; - -service_manager_local_audit_domain(surfaceflinger) -auditallow surfaceflinger { - tmp_system_server_service - -window_service -}:service_manager find; +allow surfaceflinger window_service:service_manager find; ### ### Neverallow rules diff --git a/system_app.te b/system_app.te index 9b4e29a48..895ff7125 100644 --- a/system_app.te +++ b/system_app.te @@ -53,25 +53,9 @@ allow system_app nfc_service:service_manager find; allow system_app radio_service:service_manager find; allow system_app surfaceflinger_service:service_manager find; allow system_app system_app_service:service_manager add; -allow system_app tmp_system_server_service:service_manager find; allow system_app app_api_service:service_manager find; allow system_app system_api_service:service_manager find; -service_manager_local_audit_domain(system_app) -auditallow system_app { - tmp_system_server_service - -registry_service - -restrictions_service - -sensorservice_service - -textservices_service - -uimode_service - -usagestats_service - -usb_service - -user_service - -vibrator_service - -wifi_service -}:service_manager find; - allow system_app keystore:keystore_key { test get diff --git a/system_server.te b/system_server.te index cb5d5cb9f..ac7a7c753 100644 --- a/system_server.te +++ b/system_server.te @@ -371,27 +371,6 @@ allow system_server nfc_service:service_manager find; allow system_server radio_service:service_manager find; allow system_server system_server_service:service_manager { add find }; allow system_server surfaceflinger_service:service_manager find; -allow system_server tmp_system_server_service:service_manager { add find }; - -service_manager_local_audit_domain(system_server) -auditallow system_server { - tmp_system_server_service - -registry_service - -sensorservice_service - -statusbar_service - -textservices_service - -trust_service - -uimode_service - -updatelock_service - -usagestats_service - -user_service - -vibrator_service - -wallpaper_service - -webviewupdate_service - -wifi_service - -wifip2p_service - -window_service -}:service_manager find; allow system_server keystore:keystore_key { test diff --git a/untrusted_app.te b/untrusted_app.te index c94092a11..5ad8c79bd 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -81,7 +81,6 @@ allow untrusted_app mediaserver_service:service_manager find; allow untrusted_app nfc_service:service_manager find; allow untrusted_app radio_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find; -allow untrusted_app tmp_system_server_service:service_manager find; allow untrusted_app app_api_service:service_manager find; # TODO: remove this once priv-apps are no longer running in untrusted_app @@ -90,27 +89,6 @@ allow untrusted_app system_api_service:service_manager find; # TODO: remove and replace with specific package that accesses this allow untrusted_app persistent_data_block_service:service_manager find; -service_manager_local_audit_domain(untrusted_app) -auditallow untrusted_app { - tmp_system_server_service - -registry_service - -rttmanager_service - -search_service - -sensorservice_service - -statusbar_service - -textservices_service - -trust_service - -uimode_service - -usagestats_service - -user_service - -vibrator_service - -voiceinteraction_service - -wallpaper_service - -webviewupdate_service - -wifi_service - -wifip2p_service -}:service_manager find; - # Allow verifier to access staged apks. allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;