From 03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 8 Apr 2015 13:04:59 -0700
Subject: [PATCH] Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
---
 bluetooth.te      |  2 --
 drmserver.te      |  8 +-------
 mediaserver.te    |  6 +++---
 nfc.te            |  2 --
 platform_app.te   |  4 +---
 radio.te          |  3 ---
 service.te        | 20 ++++++++++----------
 surfaceflinger.te |  4 ++--
 system_app.te     |  5 -----
 system_server.te  |  6 ------
 untrusted_app.te  |  9 +++------
 11 files changed, 20 insertions(+), 49 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 4f1ef6e55..bc2acef7f 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -network_management_service
-    -power_service
     -registry_service
     -user_service
 }:service_manager find;
diff --git a/drmserver.te b/drmserver.te
index 418ce397a..d76d3bebb 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -50,12 +50,6 @@ allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;
 
 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
-    tmp_system_server_service
-    -permission_service
-}:service_manager find;
+allow drmserver permission_service:service_manager find;
 
 selinux_check_access(drmserver)
diff --git a/mediaserver.te b/mediaserver.te
index 835802e7a..64971015d 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -83,15 +83,15 @@ allow mediaserver appops_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
     tmp_system_server_service
-    -permission_service
-    -power_service
-    -processinfo_service
     -scheduling_policy_service
 }:service_manager find;
 
diff --git a/nfc.te b/nfc.te
index 6532c6853..e4a4ccb56 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
     tmp_system_server_service
-    -network_management_service
-    -power_service
     -registry_service
     -trust_service
     -user_service
diff --git a/platform_app.te b/platform_app.te
index 89b3a6625..2943e6ce6 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -30,6 +30,7 @@ allow platform_app cache_file:file create_file_perms;
 
 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
@@ -39,9 +40,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -network_management_service
-    -notification_service
-    -power_service
     -registry_service
     -search_service
     -sensorservice_service
diff --git a/radio.te b/radio.te
index c14e964d6..469f1d959 100644
--- a/radio.te
+++ b/radio.te
@@ -41,9 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -network_management_service
-    -notification_service
-    -power_service
     -registry_service
     -trust_service
     -user_service
diff --git a/service.te b/service.te
index bbca5e7bf..fa4d56e72 100644
--- a/service.te
+++ b/service.te
@@ -62,16 +62,16 @@ type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, app_api_service, system_server_service, service_manager_type;
 type netpolicy_service, app_api_service, system_server_service, service_manager_type;
 type netstats_service, system_api_service, system_server_service, service_manager_type;
-type network_management_service, tmp_system_server_service, service_manager_type;
-type network_score_service, tmp_system_server_service, service_manager_type;
-type notification_service, tmp_system_server_service, service_manager_type;
-type package_service, tmp_system_server_service, service_manager_type;
-type permission_service, tmp_system_server_service, service_manager_type;
-type persistent_data_block_service, tmp_system_server_service, service_manager_type;
-type power_service, tmp_system_server_service, service_manager_type;
-type print_service, tmp_system_server_service, service_manager_type;
-type processinfo_service, tmp_system_server_service, service_manager_type;
-type procstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, system_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_server_service, service_manager_type;
+type power_service, app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 007be9624..c83caf2a6 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -60,14 +60,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(surfaceflinger)
 auditallow surfaceflinger {
     tmp_system_server_service
-    -permission_service
-    -power_service
     -window_service
 }:service_manager find;
 
diff --git a/system_app.te b/system_app.te
index d518e1194..9b4e29a48 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,11 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -power_service
-    -print_service
     -registry_service
     -restrictions_service
     -sensorservice_service
diff --git a/system_server.te b/system_server.te
index a2cfeba2f..cb5d5cb9f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -376,12 +376,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -package_service
-    -permission_service
-    -power_service
     -registry_service
     -sensorservice_service
     -statusbar_service
diff --git a/untrusted_app.te b/untrusted_app.te
index c1135e86b..c94092a11 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -87,15 +87,12 @@ allow untrusted_app app_api_service:service_manager find;
 # TODO: remove this once priv-apps are no longer running in untrusted_app
 allow untrusted_app system_api_service:service_manager find;
 
+# TODO: remove and replace with specific package that accesses this
+allow untrusted_app persistent_data_block_service:service_manager find;
+
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -network_management_service
-    -network_score_service
-    -notification_service
-    -persistent_data_block_service
-    -power_service
-    -procstats_service
     -registry_service
     -rttmanager_service
     -search_service
-- 
GitLab