Merge "Remove known system_server service accesses from auditing."

0d16b5ac · dcashman · Gerrit Code Review · 7818711a · c631ede7 · 0d16b5ac
Commit 0d16b5ac authored 10 years ago by dcashman Committed by Gerrit Code Review 10 years ago
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,12 +36,24 @@ allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;

 # address tmp_system_server_service accesses
-allow platform_app input_service:service_manager find;
-allow platform_app lock_settings_service:service_manager find;
+allow platform_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+    input_service
+    lock_settings_service
+    mount_service
+}:service_manager find;

 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
    -input_service
    -lock_settings_service
+    -mount_service
 }:service_manager find;
\ No newline at end of file
--- a/system_app.te
+++ b/system_app.te
@@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;

+# address tmp_system_server_service accesses
+allow system_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+}:service_manager find;
+
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
+}:service_manager find;
+
 allow system_app keystore:keystore_key {
 	test
 	get

--- a/system_server.te
+++ b/system_server.te
@@ -383,17 +383,30 @@ auditallow system_server {
    -radio_service
    -system_server_service
    -surfaceflinger_service
+    -tmp_system_server_service
 }:service_manager find;

 # address tmp_system_server_service accesses
-allow system_server dreams_service:service_manager find;
-allow system_server mount_service:service_manager find;
+allow system_server {
+    account_service
+    backup_service
+    dreams_service
+    mount_service
+    package_service
+    wallpaper_service
+    wifi_service
+}:service_manager find;

 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
+    -account_service
+    -backup_service
    -dreams_service
    -mount_service
+    -package_service
+    -wallpaper_service
+    -wifi_service
 }:service_manager find;

 allow system_server keystore:keystore_key {

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -74,31 +74,40 @@ allow untrusted_app tmp_system_server_service:service_manager find;

 # address tmp_system_server_service accesses
 service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app accessibility_service:service_manager find;
-allow untrusted_app account_service:service_manager find;
-allow untrusted_app activity_service:service_manager find;
-allow untrusted_app appops_service:service_manager find;
-allow untrusted_app appwidget_service:service_manager find;
-allow untrusted_app assetatlas_service:service_manager find;
-allow untrusted_app audio_service:service_manager find;
-allow untrusted_app bluetooth_manager_service:service_manager find;
-allow untrusted_app connectivity_service:service_manager find;
-allow untrusted_app content_service:service_manager find;
-allow untrusted_app device_policy_service:service_manager find;
-allow untrusted_app display_service:service_manager find;
-allow untrusted_app dropbox_service:service_manager find;
-allow untrusted_app input_method_service:service_manager find;
-allow untrusted_app input_service:service_manager find;
-allow untrusted_app jobscheduler_service:service_manager find;
-allow untrusted_app notification_service:service_manager find;
-allow untrusted_app persistent_data_block_service:service_manager find;
-allow untrusted_app power_service:service_manager find;
-allow untrusted_app registry_service:service_manager find;
-allow untrusted_app textservices_service:service_manager find;
-allow untrusted_app trust_service:service_manager find;
-allow untrusted_app user_service:service_manager find;
-allow untrusted_app webviewupdate_service:service_manager find;
-allow untrusted_app wifi_service:service_manager find;
+allow untrusted_app {
+    accessibility_service
+    account_service
+    activity_service
+    appops_service
+    appwidget_service
+    assetatlas_service
+    audio_service
+    backup_service
+    batterystats_service
+    bluetooth_manager_service
+    connectivity_service
+    content_service
+    device_policy_service
+    display_service
+    dropbox_service
+    input_method_service
+    input_service
+    jobscheduler_service
+    location_service
+    mount_service
+    netstats_service
+    network_score_service
+    notification_service
+    persistent_data_block_service
+    power_service
+    registry_service
+    textservices_service
+    trust_service
+    uimode_service
+    user_service
+    webviewupdate_service
+    wifi_service
+}:service_manager find;

 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
@@ -110,6 +119,8 @@ auditallow untrusted_app {
    -appwidget_service
    -assetatlas_service
    -audio_service
+    -backup_service
+    -batterystats_service
    -bluetooth_manager_service
    -connectivity_service
    -content_service
@@ -119,12 +130,17 @@ auditallow untrusted_app {
    -input_method_service
    -input_service
    -jobscheduler_service
+    -location_service
+    -mount_service
+    -netstats_service
+    -network_score_service
    -notification_service
    -persistent_data_block_service
    -power_service
    -registry_service
    -textservices_service
    -trust_service
+    -uimode_service
    -user_service
    -webviewupdate_service
    -wifi_service