From 48c1f613e0e22a4336e9dd2ece58709e9985ac4d Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 28 May 2015 15:09:21 -0700
Subject: [PATCH] Allow system_app to find all system services.

SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

(cherry-pick of commit: bf0c34d59bd47f9f286c9b5cd97196c1b075b7b1)

Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8
---
 system_app.te | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/system_app.te b/system_app.te
index 3720c3d6c..c0ac65be3 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,13 +48,7 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app mediaserver_service:service_manager find;
-allow system_app nfc_service:service_manager find;
-allow system_app radio_service:service_manager find;
-allow system_app surfaceflinger_service:service_manager find;
-allow system_app system_app_service:service_manager add;
-allow system_app app_api_service:service_manager find;
-allow system_app system_api_service:service_manager find;
+allow system_app service_manager_type:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state
-- 
GitLab