diff --git a/platform_app.te b/platform_app.te
index 3f01769eb72aedc4520ba2cafafd04a3930a6cd4..d98442e5d1c276a10a07ea6fbf4e789d8678270e 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,12 +36,24 @@ allow platform_app system_server_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
# address tmp_system_server_service accesses
-allow platform_app input_service:service_manager find;
-allow platform_app lock_settings_service:service_manager find;
+allow platform_app {
+ activity_service
+ connectivity_service
+ display_service
+ dropbox_service
+ input_service
+ lock_settings_service
+ mount_service
+}:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
+ -activity_service
+ -connectivity_service
+ -display_service
+ -dropbox_service
-input_service
-lock_settings_service
+ -mount_service
}:service_manager find;
\ No newline at end of file
diff --git a/system_app.te b/system_app.te
index a445e574d19f21f35024a9f8573c31be9fc9e785..12a51952e311c4485f99027d531c28d9858ea0c0 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
allow system_app tmp_system_server_service:service_manager find;
+# address tmp_system_server_service accesses
+allow system_app {
+ activity_service
+ connectivity_service
+ display_service
+ dropbox_service
+}:service_manager find;
+
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+ tmp_system_server_service
+ -activity_service
+ -connectivity_service
+ -display_service
+ -dropbox_service
+}:service_manager find;
+
allow system_app keystore:keystore_key {
test
get
diff --git a/system_server.te b/system_server.te
index 45c4936000d1e94be1448b39cf5333ce2397e4ff..73ff33ced38d51e1094ddfb6f0a98ba660331fb2 100644
--- a/system_server.te
+++ b/system_server.te
@@ -383,17 +383,30 @@ auditallow system_server {
-radio_service
-system_server_service
-surfaceflinger_service
+ -tmp_system_server_service
}:service_manager find;
# address tmp_system_server_service accesses
-allow system_server dreams_service:service_manager find;
-allow system_server mount_service:service_manager find;
+allow system_server {
+ account_service
+ backup_service
+ dreams_service
+ mount_service
+ package_service
+ wallpaper_service
+ wifi_service
+}:service_manager find;
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
+ -account_service
+ -backup_service
-dreams_service
-mount_service
+ -package_service
+ -wallpaper_service
+ -wifi_service
}:service_manager find;
allow system_server keystore:keystore_key {
diff --git a/untrusted_app.te b/untrusted_app.te
index 40dc8cb780af4fa7f3e43bb9f3ec76fb6c9e188b..18d71cdfacacb7b39f0458a715cc73057b820123 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -74,31 +74,40 @@ allow untrusted_app tmp_system_server_service:service_manager find;
# address tmp_system_server_service accesses
service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app accessibility_service:service_manager find;
-allow untrusted_app account_service:service_manager find;
-allow untrusted_app activity_service:service_manager find;
-allow untrusted_app appops_service:service_manager find;
-allow untrusted_app appwidget_service:service_manager find;
-allow untrusted_app assetatlas_service:service_manager find;
-allow untrusted_app audio_service:service_manager find;
-allow untrusted_app bluetooth_manager_service:service_manager find;
-allow untrusted_app connectivity_service:service_manager find;
-allow untrusted_app content_service:service_manager find;
-allow untrusted_app device_policy_service:service_manager find;
-allow untrusted_app display_service:service_manager find;
-allow untrusted_app dropbox_service:service_manager find;
-allow untrusted_app input_method_service:service_manager find;
-allow untrusted_app input_service:service_manager find;
-allow untrusted_app jobscheduler_service:service_manager find;
-allow untrusted_app notification_service:service_manager find;
-allow untrusted_app persistent_data_block_service:service_manager find;
-allow untrusted_app power_service:service_manager find;
-allow untrusted_app registry_service:service_manager find;
-allow untrusted_app textservices_service:service_manager find;
-allow untrusted_app trust_service:service_manager find;
-allow untrusted_app user_service:service_manager find;
-allow untrusted_app webviewupdate_service:service_manager find;
-allow untrusted_app wifi_service:service_manager find;
+allow untrusted_app {
+ accessibility_service
+ account_service
+ activity_service
+ appops_service
+ appwidget_service
+ assetatlas_service
+ audio_service
+ backup_service
+ batterystats_service
+ bluetooth_manager_service
+ connectivity_service
+ content_service
+ device_policy_service
+ display_service
+ dropbox_service
+ input_method_service
+ input_service
+ jobscheduler_service
+ location_service
+ mount_service
+ netstats_service
+ network_score_service
+ notification_service
+ persistent_data_block_service
+ power_service
+ registry_service
+ textservices_service
+ trust_service
+ uimode_service
+ user_service
+ webviewupdate_service
+ wifi_service
+}:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
@@ -110,6 +119,8 @@ auditallow untrusted_app {
-appwidget_service
-assetatlas_service
-audio_service
+ -backup_service
+ -batterystats_service
-bluetooth_manager_service
-connectivity_service
-content_service
@@ -119,12 +130,17 @@ auditallow untrusted_app {
-input_method_service
-input_service
-jobscheduler_service
+ -location_service
+ -mount_service
+ -netstats_service
+ -network_score_service
-notification_service
-persistent_data_block_service
-power_service
-registry_service
-textservices_service
-trust_service
+ -uimode_service
-user_service
-webviewupdate_service
-wifi_service