Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate attributes: diskstats display dreams dropbox ethernet fingerprint graphicstats hardware hdmi_control input_method input_service Bug: 18106000 Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095

Enforce more specific service access.
3cc6fc5f · dcashman · 3af8c9d0 · 3cc6fc5f · 3cc6fc5f · 3cc6fc5f
Commit 3cc6fc5f authored 10 years ago by dcashman
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    tmp_system_server_service
-    -display_service
-    -dropbox_service
    -media_session_service
    -network_management_service
    -power_service

--- a/nfc.te
+++ b/nfc.te
@@ -30,8 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
    tmp_system_server_service
-    -display_service
-    -dropbox_service
    -network_management_service
    -power_service
    -registry_service

--- a/platform_app.te
+++ b/platform_app.te
@@ -39,13 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -fingerprint_service
-    -graphicsstats_service
-    -input_method_service
-    -input_service
    -lock_settings_service
    -media_projection_service
    -media_router_service

--- a/radio.te
+++ b/radio.te
@@ -41,10 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
    tmp_system_server_service
-    -display_service
-    -dropbox_service
-    -imms_service
-    -input_method_service
    -netstats_service
    -network_management_service
    -notification_service

--- a/service.te
+++ b/service.te
@@ -36,19 +36,19 @@ type dbinfo_service, system_api_service, system_server_service, service_manager_
 type device_policy_service, app_api_service, system_server_service, service_manager_type;
 type deviceidle_service, system_server_service, service_manager_type;
 type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, tmp_system_server_service, service_manager_type;
+type display_service, app_api_service, system_server_service, service_manager_type;
 type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, tmp_system_server_service, service_manager_type;
+type dreams_service, system_api_service, system_server_service, service_manager_type;
-type dropbox_service, tmp_system_server_service, service_manager_type;
+type dropbox_service, app_api_service, system_server_service, service_manager_type;
-type ethernet_service, tmp_system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, tmp_system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, tmp_system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
-type hardware_service, tmp_system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
-type hdmi_control_service, tmp_system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, tmp_system_server_service, service_manager_type;
+type input_method_service, app_api_service, system_server_service, service_manager_type;
-type input_service, tmp_system_server_service, service_manager_type;
+type input_service, app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;

--- a/system_app.te
+++ b/system_app.te
@@ -60,13 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -fingerprint_service
-    -graphicsstats_service
-    -input_method_service
-    -input_service
    -lock_settings_service
    -media_session_service
    -mount_service

--- a/system_server.te
+++ b/system_server.te
@@ -372,14 +372,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
-    -display_service
-    -dreams_service
-    -dropbox_service
-    -ethernet_service
-    -graphicsstats_service
-    -hdmi_control_service
-    -input_method_service
-    -input_service
    -jobscheduler_service
    -location_service
    -lock_settings_service

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,14 +90,7 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    tmp_system_server_service
-    -diskstats_service
-    -display_service
-    -dropbox_service
-    -graphicsstats_service
    -healthd_service
-    -imms_service
-    -input_method_service
-    -input_service
    -jobscheduler_service
    -launcherapps_service
    -location_service