Enforce more specific service access.

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
This commit is contained in:
dcashman 2015-04-08 15:12:24 -07:00
parent 03a6f64f95
commit bd7f5803f9
13 changed files with 29 additions and 157 deletions

View file

@ -42,8 +42,7 @@ attribute port_type;
# All types used for property service # All types used for property service
attribute property_type; attribute property_type;
# All service_manager types formerly given system_server_service type # All service_manager types created by system_server
attribute tmp_system_server_service;
attribute system_server_service; attribute system_server_service;
# services which should be available to all but isolated apps # services which should be available to all but isolated apps

View file

@ -53,17 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find; allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find; allow bluetooth radio_service:service_manager find;
allow bluetooth surfaceflinger_service:service_manager find; allow bluetooth surfaceflinger_service:service_manager find;
allow bluetooth tmp_system_server_service:service_manager find;
allow bluetooth app_api_service:service_manager find; allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find; allow bluetooth system_api_service:service_manager find;
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
-registry_service
-user_service
}:service_manager find;
# already open bugreport file descriptors may be shared with # already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in # the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*. # /data/data/com.android.shell/files/bugreports/bugreport-*.

View file

@ -166,9 +166,6 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms; allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
# log all access to specified system_server services
auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
### ###
### neverallow rules ### neverallow rules
### ###

View file

@ -86,14 +86,8 @@ allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver permission_service:service_manager find; allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find; allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find; allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find; allow mediaserver surfaceflinger_service:service_manager find;
allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
-scheduling_policy_service
}:service_manager find;
# /oem access # /oem access
allow mediaserver oemfs:dir search; allow mediaserver oemfs:dir search;

10
nfc.te
View file

@ -23,19 +23,9 @@ allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager { add find }; allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find; allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find; allow nfc surfaceflinger_service:service_manager find;
allow nfc tmp_system_server_service:service_manager find;
allow nfc app_api_service:service_manager find; allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find; allow nfc system_api_service:service_manager find;
service_manager_local_audit_domain(nfc)
auditallow nfc {
tmp_system_server_service
-registry_service
-trust_service
-user_service
-vibrator_service
}:service_manager find;
# already open bugreport file descriptors may be shared with # already open bugreport file descriptors may be shared with
# the nfc process, from a file in # the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*. # /data/data/com.android.shell/files/bugreports/bugreport-*.

View file

@ -33,23 +33,5 @@ allow platform_app mediaserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find; allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find; allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find; allow platform_app surfaceflinger_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find; allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find; allow platform_app system_api_service:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
-registry_service
-search_service
-sensorservice_service
-statusbar_service
-trust_service
-uimode_service
-usb_service
-user_service
-vibrator_service
-wallpaper_service
-webviewupdate_service
-wifi_service
}:service_manager find;

View file

@ -34,16 +34,5 @@ allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find; allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find }; allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find; allow radio surfaceflinger_service:service_manager find;
allow radio tmp_system_server_service:service_manager find;
allow radio app_api_service:service_manager find; allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find; allow radio system_api_service:service_manager find;
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
-registry_service
-trust_service
-user_service
-vibrator_service
-wifi_service
}:service_manager find;

View file

@ -72,31 +72,31 @@ type power_service, app_api_service, system_server_service, service_manager_type
type print_service, app_api_service, system_server_service, service_manager_type; type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type; type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type; type procstats_service, app_api_service, system_server_service, service_manager_type;
type restrictions_service, tmp_system_server_service, service_manager_type; type registry_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, tmp_system_server_service, service_manager_type; type restrictions_service, app_api_service, system_server_service, service_manager_type;
type rttmanager_service, app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, tmp_system_server_service, service_manager_type; type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, tmp_system_server_service, service_manager_type; type search_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, tmp_system_server_service, service_manager_type; type sensorservice_service, app_api_service, system_server_service, service_manager_type;
type serial_service, tmp_system_server_service, service_manager_type; type serial_service, system_api_service, system_server_service, service_manager_type;
type servicediscovery_service, tmp_system_server_service, service_manager_type; type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, tmp_system_server_service, service_manager_type; type statusbar_service, app_api_service, system_server_service, service_manager_type;
type task_service, tmp_system_server_service, service_manager_type; type task_service, system_server_service, service_manager_type;
type registry_service, tmp_system_server_service, service_manager_type; type textservices_service, app_api_service, system_server_service, service_manager_type;
type textservices_service, tmp_system_server_service, service_manager_type; type telecom_service, app_api_service, system_server_service, service_manager_type;
type telecom_service, tmp_system_server_service, service_manager_type; type trust_service, system_api_service, system_server_service, service_manager_type;
type trust_service, tmp_system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type; type tv_input_service, app_api_service, system_server_service, service_manager_type;
type uimode_service, tmp_system_server_service, service_manager_type; type uimode_service, app_api_service, system_server_service, service_manager_type;
type updatelock_service, tmp_system_server_service, service_manager_type; type updatelock_service, system_api_service, system_server_service, service_manager_type;
type usagestats_service, tmp_system_server_service, service_manager_type; type usagestats_service, app_api_service, system_server_service, service_manager_type;
type usb_service, tmp_system_server_service, service_manager_type; type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, tmp_system_server_service, service_manager_type; type user_service, app_api_service, system_server_service, service_manager_type;
type vibrator_service, tmp_system_server_service, service_manager_type; type vibrator_service, app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, tmp_system_server_service, service_manager_type; type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
type wallpaper_service, tmp_system_server_service, service_manager_type; type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, tmp_system_server_service, service_manager_type; type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
type wifip2p_service, tmp_system_server_service, service_manager_type; type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type; type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
type wifi_service, tmp_system_server_service, service_manager_type; type wifi_service, app_api_service, system_server_service, service_manager_type;
type window_service, tmp_system_server_service, service_manager_type; type window_service, system_api_service, system_server_service, service_manager_type;

View file

@ -10,10 +10,4 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms; allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services # Needs to contact the "webviewupdate" and "activity" services
allow shared_relro tmp_system_server_service:service_manager find; allow shared_relro webviewupdate_service:service_manager find;
service_manager_local_audit_domain(shared_relro)
auditallow shared_relro {
tmp_system_server_service
-webviewupdate_service
}:service_manager find;

View file

@ -63,13 +63,7 @@ allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find; allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find; allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find }; allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger tmp_system_server_service:service_manager find; allow surfaceflinger window_service:service_manager find;
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
tmp_system_server_service
-window_service
}:service_manager find;
### ###
### Neverallow rules ### Neverallow rules

View file

@ -53,25 +53,9 @@ allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find; allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find; allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add; allow system_app system_app_service:service_manager add;
allow system_app tmp_system_server_service:service_manager find;
allow system_app app_api_service:service_manager find; allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find; allow system_app system_api_service:service_manager find;
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
-registry_service
-restrictions_service
-sensorservice_service
-textservices_service
-uimode_service
-usagestats_service
-usb_service
-user_service
-vibrator_service
-wifi_service
}:service_manager find;
allow system_app keystore:keystore_key { allow system_app keystore:keystore_key {
test test
get get

View file

@ -371,27 +371,6 @@ allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find; allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find }; allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find; allow system_server surfaceflinger_service:service_manager find;
allow system_server tmp_system_server_service:service_manager { add find };
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
-registry_service
-sensorservice_service
-statusbar_service
-textservices_service
-trust_service
-uimode_service
-updatelock_service
-usagestats_service
-user_service
-vibrator_service
-wallpaper_service
-webviewupdate_service
-wifi_service
-wifip2p_service
-window_service
}:service_manager find;
allow system_server keystore:keystore_key { allow system_server keystore:keystore_key {
test test

View file

@ -81,7 +81,6 @@ allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find; allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find; allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find; allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app tmp_system_server_service:service_manager find;
allow untrusted_app app_api_service:service_manager find; allow untrusted_app app_api_service:service_manager find;
# TODO: remove this once priv-apps are no longer running in untrusted_app # TODO: remove this once priv-apps are no longer running in untrusted_app
@ -90,27 +89,6 @@ allow untrusted_app system_api_service:service_manager find;
# TODO: remove and replace with specific package that accesses this # TODO: remove and replace with specific package that accesses this
allow untrusted_app persistent_data_block_service:service_manager find; allow untrusted_app persistent_data_block_service:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
-registry_service
-rttmanager_service
-search_service
-sensorservice_service
-statusbar_service
-textservices_service
-trust_service
-uimode_service
-usagestats_service
-user_service
-vibrator_service
-voiceinteraction_service
-wallpaper_service
-webviewupdate_service
-wifi_service
-wifip2p_service
}:service_manager find;
# Allow verifier to access staged apks. # Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;