diff --git a/bluetooth.te b/bluetooth.te index 4f1ef6e55a9590e1afcb72f8e4976b471b28a273..bc2acef7f48896c76e3551c144714973efa43f8f 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find; service_manager_local_audit_domain(bluetooth) auditallow bluetooth { tmp_system_server_service - -network_management_service - -power_service -registry_service -user_service }:service_manager find; diff --git a/drmserver.te b/drmserver.te index 418ce397a85b857ac517a5368d8ac42a26d3d16e..d76d3bebbf53427ae77898f449035a45f2d616c4 100644 --- a/drmserver.te +++ b/drmserver.te @@ -50,12 +50,6 @@ allow drmserver oemfs:dir search; allow drmserver oemfs:file r_file_perms; allow drmserver drmserver_service:service_manager { add find }; -allow drmserver tmp_system_server_service:service_manager find; - -service_manager_local_audit_domain(drmserver) -auditallow drmserver { - tmp_system_server_service - -permission_service -}:service_manager find; +allow drmserver permission_service:service_manager find; selinux_check_access(drmserver) diff --git a/mediaserver.te b/mediaserver.te index 835802e7ada5be16101886ef2694293d54c52759..64971015d33c2d11ee585325d467e60f7d82d773 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -83,15 +83,15 @@ allow mediaserver appops_service:service_manager find; allow mediaserver batterystats_service:service_manager find; allow mediaserver drmserver_service:service_manager find; allow mediaserver mediaserver_service:service_manager { add find }; +allow mediaserver permission_service:service_manager find; +allow mediaserver power_service:service_manager find; +allow mediaserver processinfo_service:service_manager find; allow mediaserver surfaceflinger_service:service_manager find; allow mediaserver tmp_system_server_service:service_manager find; service_manager_local_audit_domain(mediaserver) auditallow mediaserver { tmp_system_server_service - -permission_service - -power_service - -processinfo_service -scheduling_policy_service }:service_manager find; diff --git a/nfc.te b/nfc.te index 6532c6853207a353c74c1edaf488df2c61a2f76b..e4a4ccb564024737c738cb9d6e5c3ca50e2e65c1 100644 --- a/nfc.te +++ b/nfc.te @@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find; service_manager_local_audit_domain(nfc) auditallow nfc { tmp_system_server_service - -network_management_service - -power_service -registry_service -trust_service -user_service diff --git a/platform_app.te b/platform_app.te index 89b3a6625049475c27d97ee00c59f05f23d7d7f9..2943e6ce6600a0c1189597497e8df178a0fa97eb 100644 --- a/platform_app.te +++ b/platform_app.te @@ -30,6 +30,7 @@ allow platform_app cache_file:file create_file_perms; allow platform_app drmserver_service:service_manager find; allow platform_app mediaserver_service:service_manager find; +allow platform_app persistent_data_block_service:service_manager find; allow platform_app radio_service:service_manager find; allow platform_app surfaceflinger_service:service_manager find; allow platform_app tmp_system_server_service:service_manager find; @@ -39,9 +40,6 @@ allow platform_app system_api_service:service_manager find; service_manager_local_audit_domain(platform_app) auditallow platform_app { tmp_system_server_service - -network_management_service - -notification_service - -power_service -registry_service -search_service -sensorservice_service diff --git a/radio.te b/radio.te index c14e964d6a11f229b07e900b7a1a74fbb6de976b..469f1d959872d21d95c0c3c813a0d003d9d79304 100644 --- a/radio.te +++ b/radio.te @@ -41,9 +41,6 @@ allow radio system_api_service:service_manager find; service_manager_local_audit_domain(radio) auditallow radio { tmp_system_server_service - -network_management_service - -notification_service - -power_service -registry_service -trust_service -user_service diff --git a/service.te b/service.te index bbca5e7bf712db69fdf64302a8848cdd77a66ea1..fa4d56e720bf826f460d16302574e084e3e51ff3 100644 --- a/service.te +++ b/service.te @@ -62,16 +62,16 @@ type midi_service, app_api_service, system_server_service, service_manager_type; type mount_service, app_api_service, system_server_service, service_manager_type; type netpolicy_service, app_api_service, system_server_service, service_manager_type; type netstats_service, system_api_service, system_server_service, service_manager_type; -type network_management_service, tmp_system_server_service, service_manager_type; -type network_score_service, tmp_system_server_service, service_manager_type; -type notification_service, tmp_system_server_service, service_manager_type; -type package_service, tmp_system_server_service, service_manager_type; -type permission_service, tmp_system_server_service, service_manager_type; -type persistent_data_block_service, tmp_system_server_service, service_manager_type; -type power_service, tmp_system_server_service, service_manager_type; -type print_service, tmp_system_server_service, service_manager_type; -type processinfo_service, tmp_system_server_service, service_manager_type; -type procstats_service, tmp_system_server_service, service_manager_type; +type network_management_service, system_api_service, system_server_service, service_manager_type; +type network_score_service, system_api_service, system_server_service, service_manager_type; +type notification_service, app_api_service, system_server_service, service_manager_type; +type package_service, app_api_service, system_server_service, service_manager_type; +type permission_service, app_api_service, system_server_service, service_manager_type; +type persistent_data_block_service, system_server_service, service_manager_type; +type power_service, app_api_service, system_server_service, service_manager_type; +type print_service, app_api_service, system_server_service, service_manager_type; +type processinfo_service, system_server_service, service_manager_type; +type procstats_service, app_api_service, system_server_service, service_manager_type; type restrictions_service, tmp_system_server_service, service_manager_type; type rttmanager_service, tmp_system_server_service, service_manager_type; type samplingprofiler_service, system_server_service, service_manager_type; diff --git a/surfaceflinger.te b/surfaceflinger.te index 007be9624c95ae6b6ee1554c86ffd790bc79d3d2..c83caf2a6451a73f63918edbb57a980c79328821 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -60,14 +60,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms; # media.player service allow surfaceflinger mediaserver_service:service_manager find; +allow surfaceflinger permission_service:service_manager find; +allow surfaceflinger power_service:service_manager find; allow surfaceflinger surfaceflinger_service:service_manager { add find }; allow surfaceflinger tmp_system_server_service:service_manager find; service_manager_local_audit_domain(surfaceflinger) auditallow surfaceflinger { tmp_system_server_service - -permission_service - -power_service -window_service }:service_manager find; diff --git a/system_app.te b/system_app.te index d518e119488133eff61072a5de30454dbb94d68c..9b4e29a481624e3f2b0834482a92fe571b0a57e6 100644 --- a/system_app.te +++ b/system_app.te @@ -60,11 +60,6 @@ allow system_app system_api_service:service_manager find; service_manager_local_audit_domain(system_app) auditallow system_app { tmp_system_server_service - -network_management_service - -network_score_service - -notification_service - -power_service - -print_service -registry_service -restrictions_service -sensorservice_service diff --git a/system_server.te b/system_server.te index a2cfeba2fc804055b98231cf1a37152289713e27..cb5d5cb9f4b7a3425d2c2d30ed7d587679b1b28a 100644 --- a/system_server.te +++ b/system_server.te @@ -376,12 +376,6 @@ allow system_server tmp_system_server_service:service_manager { add find }; service_manager_local_audit_domain(system_server) auditallow system_server { tmp_system_server_service - -network_management_service - -network_score_service - -notification_service - -package_service - -permission_service - -power_service -registry_service -sensorservice_service -statusbar_service diff --git a/untrusted_app.te b/untrusted_app.te index c1135e86be610076d8fc8790cd1bfac20d55e558..c94092a11a43d4ca6a663e32759bf93499f39daf 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -87,15 +87,12 @@ allow untrusted_app app_api_service:service_manager find; # TODO: remove this once priv-apps are no longer running in untrusted_app allow untrusted_app system_api_service:service_manager find; +# TODO: remove and replace with specific package that accesses this +allow untrusted_app persistent_data_block_service:service_manager find; + service_manager_local_audit_domain(untrusted_app) auditallow untrusted_app { tmp_system_server_service - -network_management_service - -network_score_service - -notification_service - -persistent_data_block_service - -power_service - -procstats_service -registry_service -rttmanager_service -search_service