Enforce more specific service access.

Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-08 15:12:24 -07:00 · 2015-04-08 15:12:24 -07:00 · bd7f5803f9
commit bd7f5803f9
parent 03a6f64f95
13 changed files with 29 additions and 157 deletions
--- a/3
+++ b/3
@ -42,8 +42,7 @@ attribute port_type;
 # All types used for property service
 attribute property_type;
-# All service_manager types formerly given system_server_service type
+# All service_manager types created by system_server
 attribute tmp_system_server_service;
 attribute system_server_service;
 # services which should be available to all but isolated apps
--- a/bluetooth.te
+++ b/bluetooth.te
@ -53,17 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
 allow bluetooth tmp_system_server_service:service_manager find;
 allow bluetooth app_api_service:service_manager find;
 allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    tmp_system_server_service
    -registry_service
    -user_service
 }:service_manager find;
 # already open bugreport file descriptors may be shared with
 # the bluetooth process, from a file in
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
--- a/domain.te
+++ b/domain.te
@ -166,9 +166,6 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 # log all access to specified system_server services
 auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
 ###
 ### neverallow rules
 ###
--- a/mediaserver.te
+++ b/mediaserver.te
@ -86,14 +86,8 @@ allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;
 allow mediaserver processinfo_service:service_manager find;
 allow mediaserver scheduling_policy_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
    tmp_system_server_service
    -scheduling_policy_service
 }:service_manager find;
 # /oem access
 allow mediaserver oemfs:dir search;
--- a/nfc.te
+++ b/nfc.te
@ -23,19 +23,9 @@ allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
    tmp_system_server_service
    -registry_service
    -trust_service
    -user_service
    -vibrator_service
 }:service_manager find;
 # already open bugreport file descriptors may be shared with
 # the nfc process, from a file in
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
--- a/platform_app.te
+++ b/platform_app.te
@ -33,23 +33,5 @@ allow platform_app mediaserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
    -registry_service
    -search_service
    -sensorservice_service
    -statusbar_service
    -trust_service
    -uimode_service
    -usb_service
    -user_service
    -vibrator_service
    -wallpaper_service
    -webviewupdate_service
    -wifi_service
 }:service_manager find;
--- a/radio.te
+++ b/radio.te
@ -34,16 +34,5 @@ allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
    tmp_system_server_service
    -registry_service
    -trust_service
    -user_service
    -vibrator_service
    -wifi_service
 }:service_manager find;
--- a/service.te
+++ b/service.te
@ -72,31 +72,31 @@ type power_service, app_api_service, system_server_service, service_manager_type
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;
 type procstats_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, tmp_system_server_service, service_manager_type;
+type registry_service, app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, tmp_system_server_service, service_manager_type;
+type restrictions_service, app_api_service, system_server_service, service_manager_type;
 type rttmanager_service, app_api_service, system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, tmp_system_server_service, service_manager_type;
+type search_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, tmp_system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, system_server_service, service_manager_type;
-type serial_service, tmp_system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, tmp_system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, tmp_system_server_service, service_manager_type;
+type statusbar_service, app_api_service, system_server_service, service_manager_type;
-type task_service, tmp_system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
-type registry_service, tmp_system_server_service, service_manager_type;
+type textservices_service, app_api_service, system_server_service, service_manager_type;
-type textservices_service, tmp_system_server_service, service_manager_type;
+type telecom_service, app_api_service, system_server_service, service_manager_type;
-type telecom_service, tmp_system_server_service, service_manager_type;
+type trust_service, system_api_service, system_server_service, service_manager_type;
 type trust_service, tmp_system_server_service, service_manager_type;
 type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, tmp_system_server_service, service_manager_type;
+type uimode_service, app_api_service, system_server_service, service_manager_type;
-type updatelock_service, tmp_system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, tmp_system_server_service, service_manager_type;
+type usagestats_service, app_api_service, system_server_service, service_manager_type;
-type usb_service, tmp_system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, tmp_system_server_service, service_manager_type;
+type user_service, app_api_service, system_server_service, service_manager_type;
-type vibrator_service, tmp_system_server_service, service_manager_type;
+type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, tmp_system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
-type wallpaper_service, tmp_system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, tmp_system_server_service, service_manager_type;
+type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
-type wifip2p_service, tmp_system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
 type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, tmp_system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
-type window_service, tmp_system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
--- a/shared_relro.te
+++ b/shared_relro.te
@ -10,10 +10,4 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
 # Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro tmp_system_server_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
 service_manager_local_audit_domain(shared_relro)
 auditallow shared_relro {
    tmp_system_server_service
    -webviewupdate_service
 }:service_manager find;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@ -63,13 +63,7 @@ allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger tmp_system_server_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
 service_manager_local_audit_domain(surfaceflinger)
 auditallow surfaceflinger {
    tmp_system_server_service
    -window_service
 }:service_manager find;
 ###
 ### Neverallow rules
--- a/system_app.te
+++ b/system_app.te
@ -53,25 +53,9 @@ allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
 allow system_app tmp_system_server_service:service_manager find;
 allow system_app app_api_service:service_manager find;
 allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    tmp_system_server_service
    -registry_service
    -restrictions_service
    -sensorservice_service
    -textservices_service
    -uimode_service
    -usagestats_service
    -usb_service
    -user_service
    -vibrator_service
    -wifi_service
 }:service_manager find;
 allow system_app keystore:keystore_key {
 	test
 	get
--- a/system_server.te
+++ b/system_server.te
@ -371,27 +371,6 @@ allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
    -registry_service
    -sensorservice_service
    -statusbar_service
    -textservices_service
    -trust_service
    -uimode_service
    -updatelock_service
    -usagestats_service
    -user_service
    -vibrator_service
    -wallpaper_service
    -webviewupdate_service
    -wifi_service
    -wifip2p_service
    -window_service
 }:service_manager find;
 allow system_server keystore:keystore_key {
 	test
--- a/untrusted_app.te
+++ b/untrusted_app.te
@ -81,7 +81,6 @@ allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 # TODO: remove this once priv-apps are no longer running in untrusted_app
@ -90,27 +89,6 @@ allow untrusted_app system_api_service:service_manager find;
 # TODO: remove and replace with specific package that accesses this
 allow untrusted_app persistent_data_block_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    tmp_system_server_service
    -registry_service
    -rttmanager_service
    -search_service
    -sensorservice_service
    -statusbar_service
    -textservices_service
    -trust_service
    -uimode_service
    -usagestats_service
    -user_service
    -vibrator_service
    -voiceinteraction_service
    -wallpaper_service
    -webviewupdate_service
    -wifi_service
    -wifip2p_service
 }:service_manager find;
 # Allow verifier to access staged apks.
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;