am 31a8511a: am 23f33615: Record observed system_server servicemanager service requests.

* commit '31a8511a': Record observed system_server servicemanager service requests.

am 31a8511a: am 23f33615: Record observed system_server servicemanager service requests.
40af9962 · dcashman · Android Git Automerger · 2a5b5174 · 31a8511a · 40af9962
Commit 40af9962 authored 10 years ago by dcashman Committed by Android Git Automerger 10 years ago
--- a/drmserver.te
+++ b/drmserver.te
@@ -53,4 +53,10 @@ allow drmserver drmserver_service:service_manager { add find };
 allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;

+service_manager_local_audit_domain(drmserver)
+auditallow drmserver {
+    tmp_system_server_service
+    -permission_service
+}:service_manager find;
+
 selinux_check_access(drmserver)
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -104,20 +104,8 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;

-allow dumpstate {
-    drmserver_service
-    healthd_service
-    inputflinger_service
-    keystore_service
-    mediaserver_service
-    nfc_service
-    radio_service
-    surfaceflinger_service
-    system_app_service
-    system_server_service
-    tmp_system_server_service
-}:service_manager find;
-
+allow dumpstate service_manager_type:service_manager find;
 allow dumpstate servicemanager:service_manager list;
+service_manager_local_audit_domain(dumpstate)

 allow dumpstate devpts:chr_file rw_file_perms;
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -84,15 +84,10 @@ allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;

-# address tmp_system_server_service accesses
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
    tmp_system_server_service
+    -appops_service
    -batterystats_service
    -permission_service
    -power_service

--- a/nfc.te
+++ b/nfc.te
@@ -25,3 +25,22 @@ allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
 allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+    tmp_system_server_service
+    -accessibility_service
+    -activity_service
+    -appops_service
+    -batterystats_service
+    -bluetooth_manager_service
+    -connectivity_service
+    -content_service
+    -display_service
+    -dropbox_service
+    -network_management_service
+    -power_service
+    -trust_service
+    -user_service
+    -vibrator_service
+}:service_manager find;
\ No newline at end of file
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,6 +39,7 @@ service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
    -accessibility_service
+    -account_service
    -activity_service
    -appops_service
    -appwidget_service

--- a/radio.te
+++ b/radio.te
@@ -42,11 +42,17 @@ auditallow radio {
    tmp_system_server_service
    -activity_service
    -appops_service
+    -bluetooth_manager_service
    -connectivity_service
    -content_service
    -display_service
    -dropbox_service
+    -netstats_service
    -network_management_service
+    -notification_service
    -power_service
    -registry_service
+    -trust_service
+    -user_service
+    -wifi_service
 }:service_manager find;
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -12,3 +12,9 @@ allow shared_relro shared_relro_file:file create_file_perms;
 # Needs to contact the "webviewupdate" and "activity" services
 allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(shared_relro)
+auditallow shared_relro {
+    tmp_system_server_service
+    -webviewupdate_service
+}:service_manager find;
--- a/shell.te
+++ b/shell.te
@@ -60,6 +60,7 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 allow shell service_manager_type:service_manager find;
+service_manager_local_audit_domain(shell)

 # allow shell to look through /proc/ for ps, top
 allow shell domain:dir { search open read getattr };

--- a/system_app.te
+++ b/system_app.te
@@ -62,11 +62,32 @@ auditallow system_app {
    -accessibility_service
    -activity_service
    -appops_service
+    -appwidget_service
+    -assetatlas_service
+    -audio_service
+    -backup_service
+    -bluetooth_manager_service
    -connectivity_service
+    -content_service
+    -device_policy_service
    -display_service
+    -dreams_service
    -dropbox_service
+    -input_method_service
+    -input_service
+    -lock_settings_service
+    -mount_service
    -network_management_service
+    -notification_service
+    -power_service
+    -print_service
+    -registry_service
+    -sensorservice_service
+    -usagestats_service
+    -usb_service
    -user_service
+    -vibrator_service
+    -wifi_service
 }:service_manager find;

 allow system_app keystore:keystore_key {

--- a/system_server.te
+++ b/system_server.te
@@ -368,9 +368,11 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;

+allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
@@ -380,9 +382,11 @@ allow system_server tmp_system_server_service:service_manager { add find };
 allow system_server service_manager_type:service_manager find;
 auditallow system_server {
    service_manager_type
+    -drmserver_service
    -healthd_service
    -keystore_service
    -mediaserver_service
+    -nfc_service
    -radio_service
    -system_server_service
    -surfaceflinger_service
@@ -422,6 +426,7 @@ auditallow system_server {
    -network_score_service
    -notification_service
    -package_service
+    -permission_service
    -power_service
    -registry_service
    -sensorservice_service

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,18 +90,27 @@ auditallow untrusted_app {
    -assetatlas_service
    -audio_service
    -backup_service
+    -battery_service
    -batterystats_service
    -bluetooth_manager_service
    -connectivity_service
    -content_service
+    -country_detector_service
+    -default_android_service
    -device_policy_service
    -display_service
    -dropbox_service
    -input_method_service
    -input_service
    -jobscheduler_service
+    -launcherapps_service
    -location_service
+    -lock_settings_service
+    -media_router_service
+    -media_session_service
+    -meminfo_service
    -mount_service
+    -netpolicy_service
    -netstats_service
    -network_management_service
    -network_score_service
@@ -109,13 +118,18 @@ auditallow untrusted_app {
    -persistent_data_block_service
    -power_service
    -registry_service
+    -search_service
+    -sensorservice_service
    -textservices_service
    -trust_service
    -uimode_service
    -user_service
    -vibrator_service
+    -voiceinteraction_service
+    -wallpaper_service
    -webviewupdate_service
    -wifi_service
+    -wifip2p_service
 }:service_manager find;

 ###