From 23f336156daf61ba07c024af2fe96994605f46eb Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 3 Mar 2015 11:20:15 -0800
Subject: [PATCH] Record observed system_server servicemanager service
 requests.

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
---
 drmserver.te     |  6 ++++++
 dumpstate.te     | 16 ++--------------
 mediaserver.te   |  7 +------
 nfc.te           | 19 +++++++++++++++++++
 platform_app.te  |  1 +
 radio.te         |  6 ++++++
 shared_relro.te  |  6 ++++++
 shell.te         |  1 +
 system_app.te    | 21 +++++++++++++++++++++
 system_server.te |  5 +++++
 untrusted_app.te | 14 ++++++++++++++
 11 files changed, 82 insertions(+), 20 deletions(-)

diff --git a/drmserver.te b/drmserver.te
index 482c2185f..e52d679ff 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -53,4 +53,10 @@ allow drmserver drmserver_service:service_manager { add find };
 allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;
 
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver {
+    tmp_system_server_service
+    -permission_service
+}:service_manager find;
+
 selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 320b19fa3..cb38e0ba0 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -104,20 +104,8 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
-allow dumpstate {
-    drmserver_service
-    healthd_service
-    inputflinger_service
-    keystore_service
-    mediaserver_service
-    nfc_service
-    radio_service
-    surfaceflinger_service
-    system_app_service
-    system_server_service
-    tmp_system_server_service
-}:service_manager find;
-
+allow dumpstate service_manager_type:service_manager find;
 allow dumpstate servicemanager:service_manager list;
+service_manager_local_audit_domain(dumpstate)
 
 allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/mediaserver.te b/mediaserver.te
index ec69aed09..a8bc55fea 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -84,15 +84,10 @@ allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 
-# address tmp_system_server_service accesses
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
     tmp_system_server_service
+    -appops_service
     -batterystats_service
     -permission_service
     -power_service
diff --git a/nfc.te b/nfc.te
index e825b1b71..00826bb39 100644
--- a/nfc.te
+++ b/nfc.te
@@ -25,3 +25,22 @@ allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
 allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+    tmp_system_server_service
+    -accessibility_service
+    -activity_service
+    -appops_service
+    -batterystats_service
+    -bluetooth_manager_service
+    -connectivity_service
+    -content_service
+    -display_service
+    -dropbox_service
+    -network_management_service
+    -power_service
+    -trust_service
+    -user_service
+    -vibrator_service
+}:service_manager find;
\ No newline at end of file
diff --git a/platform_app.te b/platform_app.te
index 61cc75729..378d45526 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,6 +39,7 @@ service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
     -accessibility_service
+    -account_service
     -activity_service
     -appops_service
     -appwidget_service
diff --git a/radio.te b/radio.te
index a6aec28e1..b5ff4a7e4 100644
--- a/radio.te
+++ b/radio.te
@@ -42,11 +42,17 @@ auditallow radio {
     tmp_system_server_service
     -activity_service
     -appops_service
+    -bluetooth_manager_service
     -connectivity_service
     -content_service
     -display_service
     -dropbox_service
+    -netstats_service
     -network_management_service
+    -notification_service
     -power_service
     -registry_service
+    -trust_service
+    -user_service
+    -wifi_service
 }:service_manager find;
diff --git a/shared_relro.te b/shared_relro.te
index c4443824c..1a7e2d030 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -12,3 +12,9 @@ allow shared_relro shared_relro_file:file create_file_perms;
 # Needs to contact the "webviewupdate" and "activity" services
 allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(shared_relro)
+auditallow shared_relro {
+    tmp_system_server_service
+    -webviewupdate_service
+}:service_manager find;
diff --git a/shell.te b/shell.te
index d31a496e1..8cfe9ac43 100644
--- a/shell.te
+++ b/shell.te
@@ -60,6 +60,7 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 allow shell service_manager_type:service_manager find;
+service_manager_local_audit_domain(shell)
 
 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };
diff --git a/system_app.te b/system_app.te
index ea936aa1d..d3c7bdd17 100644
--- a/system_app.te
+++ b/system_app.te
@@ -62,11 +62,32 @@ auditallow system_app {
     -accessibility_service
     -activity_service
     -appops_service
+    -appwidget_service
+    -assetatlas_service
+    -audio_service
+    -backup_service
+    -bluetooth_manager_service
     -connectivity_service
+    -content_service
+    -device_policy_service
     -display_service
+    -dreams_service
     -dropbox_service
+    -input_method_service
+    -input_service
+    -lock_settings_service
+    -mount_service
     -network_management_service
+    -notification_service
+    -power_service
+    -print_service
+    -registry_service
+    -sensorservice_service
+    -usagestats_service
+    -usb_service
     -user_service
+    -vibrator_service
+    -wifi_service
 }:service_manager find;
 
 allow system_app keystore:keystore_key {
diff --git a/system_server.te b/system_server.te
index ae9ada2c3..191c446e6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,9 +364,11 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
+allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
@@ -376,9 +378,11 @@ allow system_server tmp_system_server_service:service_manager { add find };
 allow system_server service_manager_type:service_manager find;
 auditallow system_server {
     service_manager_type
+    -drmserver_service
     -healthd_service
     -keystore_service
     -mediaserver_service
+    -nfc_service
     -radio_service
     -system_server_service
     -surfaceflinger_service
@@ -418,6 +422,7 @@ auditallow system_server {
     -network_score_service
     -notification_service
     -package_service
+    -permission_service
     -power_service
     -registry_service
     -sensorservice_service
diff --git a/untrusted_app.te b/untrusted_app.te
index bb93526a5..91cb46ac6 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -82,18 +82,27 @@ auditallow untrusted_app {
     -assetatlas_service
     -audio_service
     -backup_service
+    -battery_service
     -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
+    -country_detector_service
+    -default_android_service
     -device_policy_service
     -display_service
     -dropbox_service
     -input_method_service
     -input_service
     -jobscheduler_service
+    -launcherapps_service
     -location_service
+    -lock_settings_service
+    -media_router_service
+    -media_session_service
+    -meminfo_service
     -mount_service
+    -netpolicy_service
     -netstats_service
     -network_management_service
     -network_score_service
@@ -101,13 +110,18 @@ auditallow untrusted_app {
     -persistent_data_block_service
     -power_service
     -registry_service
+    -search_service
+    -sensorservice_service
     -textservices_service
     -trust_service
     -uimode_service
     -user_service
     -vibrator_service
+    -voiceinteraction_service
+    -wallpaper_service
     -webviewupdate_service
     -wifi_service
+    -wifip2p_service
 }:service_manager find;
 
 ###
-- 
GitLab