From 3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 7 Apr 2015 12:37:32 -0700
Subject: [PATCH] Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
---
 bluetooth.te     |  2 --
 nfc.te           |  2 --
 platform_app.te  |  7 -------
 radio.te         |  4 ----
 service.te       | 22 +++++++++++-----------
 system_app.te    |  7 -------
 system_server.te |  8 --------
 untrusted_app.te |  7 -------
 8 files changed, 11 insertions(+), 48 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index b90e48feb..863cbd877 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -display_service
-    -dropbox_service
     -media_session_service
     -network_management_service
     -power_service
diff --git a/nfc.te b/nfc.te
index 156aeb703..6532c6853 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
     tmp_system_server_service
-    -display_service
-    -dropbox_service
     -network_management_service
     -power_service
     -registry_service
diff --git a/platform_app.te b/platform_app.te
index 0016f2070..3676c5d3f 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,13 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -fingerprint_service
-    -graphicsstats_service
-    -input_method_service
-    -input_service
     -lock_settings_service
     -media_projection_service
     -media_router_service
diff --git a/radio.te b/radio.te
index 060c3a612..f71d02fde 100644
--- a/radio.te
+++ b/radio.te
@@ -41,10 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -display_service
-    -dropbox_service
-    -imms_service
-    -input_method_service
     -netstats_service
     -network_management_service
     -notification_service
diff --git a/service.te b/service.te
index b4925acdf..451c9d080 100644
--- a/service.te
+++ b/service.te
@@ -36,19 +36,19 @@ type dbinfo_service, system_api_service, system_server_service, service_manager_
 type device_policy_service, app_api_service, system_server_service, service_manager_type;
 type deviceidle_service, system_server_service, service_manager_type;
 type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, tmp_system_server_service, service_manager_type;
-type display_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, system_server_service, service_manager_type;
 type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, tmp_system_server_service, service_manager_type;
-type dropbox_service, tmp_system_server_service, service_manager_type;
-type ethernet_service, tmp_system_server_service, service_manager_type;
-type fingerprint_service, tmp_system_server_service, service_manager_type;
+type dreams_service, system_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, tmp_system_server_service, service_manager_type;
-type hardware_service, tmp_system_server_service, service_manager_type;
-type hdmi_control_service, tmp_system_server_service, service_manager_type;
-type input_method_service, tmp_system_server_service, service_manager_type;
-type input_service, tmp_system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;
diff --git a/system_app.te b/system_app.te
index e55525e41..7d934d12a 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,13 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -fingerprint_service
-    -graphicsstats_service
-    -input_method_service
-    -input_service
     -lock_settings_service
     -media_session_service
     -mount_service
diff --git a/system_server.te b/system_server.te
index 4480684a2..80e06e834 100644
--- a/system_server.te
+++ b/system_server.te
@@ -372,14 +372,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -ethernet_service
-    -graphicsstats_service
-    -hdmi_control_service
-    -input_method_service
-    -input_service
     -jobscheduler_service
     -location_service
     -lock_settings_service
diff --git a/untrusted_app.te b/untrusted_app.te
index a139799dd..a51c6eaaf 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,14 +90,7 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -diskstats_service
-    -display_service
-    -dropbox_service
-    -graphicsstats_service
     -healthd_service
-    -imms_service
-    -input_method_service
-    -input_service
     -jobscheduler_service
     -launcherapps_service
     -location_service
-- 
GitLab