diff --git a/attributes b/attributes
index d40217aed9e08c404e188958aa69b9dffe71ceb4..3f632ded6411905ffa8523d6e5a096b521aa534b 100644
--- a/attributes
+++ b/attributes
@@ -42,6 +42,9 @@ attribute port_type;
# All types used for property service
attribute property_type;
+# All service_manager types formerly given system_server_service type
+attribute tmp_system_server_service;
+
# All types used for services managed by service_manager.
attribute service_manager_type;
diff --git a/bluetooth.te b/bluetooth.te
index 60ce11858fa36049dc8a9853bdd19ca39ca2da05..7c273be913f49ab53dd9223dc782ccf68e3fd27b 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -52,6 +52,7 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set;
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth system_server_service:service_manager find;
+allow bluetooth tmp_system_server_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/domain.te b/domain.te
index 52920a72d9d52ed5243cede416cb1f5bff58f6ec..a184e063b8e363cacefd2563af28b0f71bd5175e 100644
--- a/domain.te
+++ b/domain.te
@@ -165,6 +165,9 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+# log all access to specified system_server services
+auditallow { domain -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
+
###
### neverallow rules
###
diff --git a/drmserver.te b/drmserver.te
index 37edbfe9af453a1c52c81769c7599479c47c2c6c..482c2185f1553019be7f5e64a64c8e9a07fa69d5 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -51,5 +51,6 @@ allow drmserver oemfs:file r_file_perms;
allow drmserver drmserver_service:service_manager { add find };
allow drmserver system_server_service:service_manager find;
+allow drmserver tmp_system_server_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index b1e746af0ad3437949657b8f2e3dfdecbcc6958c..5f65eb0538a4df99880a81b0052c5138d2e4e85f 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -117,6 +117,7 @@ allow dumpstate {
surfaceflinger_service
system_app_service
system_server_service
+ tmp_system_server_service
}:service_manager find;
allow dumpstate servicemanager:service_manager list;
diff --git a/isolated_app.te b/isolated_app.te
index 8c45492935c93fd25a92be8a627961dd9f977e6c..627d0a0e140188139e368b438d7573a5a86ee639 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -24,3 +24,19 @@ neverallow isolated_app gpu_device:file { rw_file_perms execute };
allow isolated_app radio_service:service_manager find;
allow isolated_app surfaceflinger_service:service_manager find;
allow isolated_app system_server_service:service_manager find;
+allow isolated_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow isolated_app activity_service:service_manager find;
+allow isolated_app connectivity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app dropbox_service:service_manager find;
+
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app {
+ tmp_system_server_service
+ -activity_service
+ -connectivity_service
+ -display_service
+ -dropbox_service
+}:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
index 54112af2abe232e80d8fe8059cdfa766a0de8fae..ec69aed091cfedf8ddcfcf0aeac660194ec64f5e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -82,6 +82,22 @@ allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver system_server_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
+allow mediaserver tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+ tmp_system_server_service
+ -batterystats_service
+ -permission_service
+ -power_service
+ -scheduling_policy_service
+}:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
diff --git a/nfc.te b/nfc.te
index 0d1f613b05ff436e6dcccf5bd107173805d6ae65..709e5b949371a4098c8fc256e4b5ca85ae7dae13 100644
--- a/nfc.te
+++ b/nfc.te
@@ -23,3 +23,4 @@ allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager add;
allow nfc surfaceflinger_service:service_manager find;
allow nfc system_server_service:service_manager find;
+allow nfc tmp_system_server_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 9b9b0db4804a836a69e93b279820db72dade1319..3f01769eb72aedc4520ba2cafafd04a3930a6cd4 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -33,3 +33,15 @@ allow platform_app mediaserver_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app system_server_service:service_manager find;
+allow platform_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow platform_app input_service:service_manager find;
+allow platform_app lock_settings_service:service_manager find;
+
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+ tmp_system_server_service
+ -input_service
+ -lock_settings_service
+}:service_manager find;
\ No newline at end of file
diff --git a/radio.te b/radio.te
index 9282055f2cc5229aceca8c9b0d9ee3cc820f204e..d369949db4c4ccdb2f71072e641c688c7a332cb0 100644
--- a/radio.te
+++ b/radio.te
@@ -34,3 +34,4 @@ allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio system_server_service:service_manager find;
+allow radio tmp_system_server_service:service_manager find;
diff --git a/service.te b/service.te
index ca461f170010d747ef2a0d40c2705ad5bb5f33b0..1a13927d05b5da4ef93cd18edf0fefff1403fb31 100644
--- a/service.te
+++ b/service.te
@@ -9,4 +9,92 @@ type nfc_service, service_manager_type;
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
+
type system_server_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, tmp_system_server_service, service_manager_type;
+type account_service, tmp_system_server_service, service_manager_type;
+type activity_service, tmp_system_server_service, service_manager_type;
+type alarm_service, tmp_system_server_service, service_manager_type;
+type appops_service, tmp_system_server_service, service_manager_type;
+type appwidget_service, tmp_system_server_service, service_manager_type;
+type assetatlas_service, tmp_system_server_service, service_manager_type;
+type audio_service, tmp_system_server_service, service_manager_type;
+type backup_service, tmp_system_server_service, service_manager_type;
+type batterystats_service, tmp_system_server_service, service_manager_type;
+type battery_service, tmp_system_server_service, service_manager_type;
+type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
+type clipboard_service, tmp_system_server_service, service_manager_type;
+type IMms_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, tmp_system_server_service, service_manager_type;
+type commontime_management_service, tmp_system_server_service, service_manager_type;
+type connectivity_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type content_service, tmp_system_server_service, service_manager_type;
+type country_detector_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, tmp_system_server_service, service_manager_type;
+type dbinfo_service, tmp_system_server_service, service_manager_type;
+type device_policy_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, tmp_system_server_service, service_manager_type;
+type display_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, tmp_system_server_service, service_manager_type;
+type dreams_service, tmp_system_server_service, service_manager_type;
+type dropbox_service, tmp_system_server_service, service_manager_type;
+type ethernet_service, tmp_system_server_service, service_manager_type;
+type fingerprint_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type hardware_service, tmp_system_server_service, service_manager_type;
+type hdmi_control_service, tmp_system_server_service, service_manager_type;
+type input_method_service, tmp_system_server_service, service_manager_type;
+type input_service, tmp_system_server_service, service_manager_type;
+type imms_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, tmp_system_server_service, service_manager_type;
+type launcherapps_service, tmp_system_server_service, service_manager_type;
+type location_service, tmp_system_server_service, service_manager_type;
+type lock_settings_service, tmp_system_server_service, service_manager_type;
+type media_projection_service, tmp_system_server_service, service_manager_type;
+type media_router_service, tmp_system_server_service, service_manager_type;
+type media_session_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, tmp_system_server_service, service_manager_type;
+type midi_service, tmp_system_server_service, service_manager_type;
+type mount_service, tmp_system_server_service, service_manager_type;
+type netpolicy_service, tmp_system_server_service, service_manager_type;
+type netstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, tmp_system_server_service, service_manager_type;
+type network_score_service, tmp_system_server_service, service_manager_type;
+type notification_service, tmp_system_server_service, service_manager_type;
+type package_service, tmp_system_server_service, service_manager_type;
+type permission_service, tmp_system_server_service, service_manager_type;
+type persistent_data_block_service, tmp_system_server_service, service_manager_type;
+type power_service, tmp_system_server_service, service_manager_type;
+type print_service, tmp_system_server_service, service_manager_type;
+type procstats_service, tmp_system_server_service, service_manager_type;
+type restrictions_service, tmp_system_server_service, service_manager_type;
+type rttmanager_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, tmp_system_server_service, service_manager_type;
+type search_service, tmp_system_server_service, service_manager_type;
+type sensorservice_service, tmp_system_server_service, service_manager_type;
+type serial_service, tmp_system_server_service, service_manager_type;
+type servicediscovery_service, tmp_system_server_service, service_manager_type;
+type statusbar_service, tmp_system_server_service, service_manager_type;
+type task_service, tmp_system_server_service, service_manager_type;
+type registry_service, tmp_system_server_service, service_manager_type;
+type textservices_service, tmp_system_server_service, service_manager_type;
+type trust_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, tmp_system_server_service, service_manager_type;
+type uimode_service, tmp_system_server_service, service_manager_type;
+type updatelock_service, tmp_system_server_service, service_manager_type;
+type usagestats_service, tmp_system_server_service, service_manager_type;
+type usb_service, tmp_system_server_service, service_manager_type;
+type user_service, tmp_system_server_service, service_manager_type;
+type vibrator_service, tmp_system_server_service, service_manager_type;
+type voiceinteraction_service, tmp_system_server_service, service_manager_type;
+type wallpaper_service, tmp_system_server_service, service_manager_type;
+type webviewupdate_service, tmp_system_server_service, service_manager_type;
+type wifip2p_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifi_service, tmp_system_server_service, service_manager_type;
+type window_service, tmp_system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 08bf3fea2a1737c73fbb2535d172968d6ae4063c..5dfa199a49939c06be811624b638694c3cba1371 100644
--- a/service_contexts
+++ b/service_contexts
@@ -1,123 +1,123 @@
-accessibility u:object_r:system_server_service:s0
-account u:object_r:system_server_service:s0
-activity u:object_r:system_server_service:s0
-alarm u:object_r:system_server_service:s0
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+alarm u:object_r:alarm_service:s0
android.security.keystore u:object_r:keystore_service:s0
-appops u:object_r:system_server_service:s0
-appwidget u:object_r:system_server_service:s0
-assetatlas u:object_r:system_server_service:s0
-audio u:object_r:system_server_service:s0
-backup u:object_r:system_server_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+audio u:object_r:audio_service:s0
+backup u:object_r:backup_service:s0
batteryproperties u:object_r:healthd_service:s0
batterypropreg u:object_r:healthd_service:s0
-batterystats u:object_r:system_server_service:s0
-battery u:object_r:system_server_service:s0
-bluetooth_manager u:object_r:system_server_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
-clipboard u:object_r:system_server_service:s0
-com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
-com.android.net.IProxyService u:object_r:system_server_service:s0
-commontime_management u:object_r:system_server_service:s0
+clipboard u:object_r:clipboard_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:IMms_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-connectivity u:object_r:system_server_service:s0
-consumer_ir u:object_r:system_server_service:s0
-content u:object_r:system_server_service:s0
-country_detector u:object_r:system_server_service:s0
-cpuinfo u:object_r:system_server_service:s0
-dbinfo u:object_r:system_server_service:s0
-device_policy u:object_r:system_server_service:s0
-devicestoragemonitor u:object_r:system_server_service:s0
-diskstats u:object_r:system_server_service:s0
+connectivity u:object_r:connectivity_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+country_detector u:object_r:country_detector_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_policy u:object_r:device_policy_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
-display u:object_r:system_server_service:s0
-DockObserver u:object_r:system_server_service:s0
-dreams u:object_r:system_server_service:s0
+display u:object_r:display_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:system_server_service:s0
-ethernet u:object_r:system_server_service:s0
-fingerprint u:object_r:system_server_service:s0
-gfxinfo u:object_r:system_server_service:s0
-hardware u:object_r:system_server_service:s0
-hdmi_control u:object_r:system_server_service:s0
+dropbox u:object_r:dropbox_service:s0
+ethernet u:object_r:ethernet_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+hardware u:object_r:hardware_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:system_server_service:s0
-input u:object_r:system_server_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
-imms u:object_r:system_server_service:s0
+imms u:object_r:imms_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
isub u:object_r:radio_service:s0
-jobscheduler u:object_r:system_server_service:s0
-launcherapps u:object_r:system_server_service:s0
-location u:object_r:system_server_service:s0
-lock_settings u:object_r:system_server_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+location u:object_r:location_service:s0
+lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:mediaserver_service:s0
media.audio_policy u:object_r:mediaserver_service:s0
media.camera u:object_r:mediaserver_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
-media_projection u:object_r:system_server_service:s0
-media_router u:object_r:system_server_service:s0
-media_session u:object_r:system_server_service:s0
-meminfo u:object_r:system_server_service:s0
-mount u:object_r:system_server_service:s0
-netpolicy u:object_r:system_server_service:s0
-netstats u:object_r:system_server_service:s0
-network_management u:object_r:system_server_service:s0
-network_score u:object_r:system_server_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
nfc u:object_r:nfc_service:s0
-notification u:object_r:system_server_service:s0
-package u:object_r:system_server_service:s0
-permission u:object_r:system_server_service:s0
-persistent_data_block u:object_r:system_server_service:s0
+notification u:object_r:notification_service:s0
+package u:object_r:package_service:s0
+permission u:object_r:permission_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
-power u:object_r:system_server_service:s0
-print u:object_r:system_server_service:s0
-procstats u:object_r:system_server_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+procstats u:object_r:procstats_service:s0
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
-restrictions u:object_r:system_server_service:s0
-rttmanager u:object_r:system_server_service:s0
-samplingprofiler u:object_r:system_server_service:s0
-scheduling_policy u:object_r:system_server_service:s0
-search u:object_r:system_server_service:s0
-sensorservice u:object_r:system_server_service:s0
-serial u:object_r:system_server_service:s0
-servicediscovery u:object_r:system_server_service:s0
+restrictions u:object_r:restrictions_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
-statusbar u:object_r:system_server_service:s0
+statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
-task u:object_r:system_server_service:s0
+task u:object_r:task_service:s0
telecom u:object_r:radio_service:s0
-telephony.registry u:object_r:system_server_service:s0
-textservices u:object_r:system_server_service:s0
-trust u:object_r:system_server_service:s0
-tv_input u:object_r:system_server_service:s0
-uimode u:object_r:system_server_service:s0
-updatelock u:object_r:system_server_service:s0
-usagestats u:object_r:system_server_service:s0
-usb u:object_r:system_server_service:s0
-user u:object_r:system_server_service:s0
-vibrator u:object_r:system_server_service:s0
-voiceinteraction u:object_r:system_server_service:s0
-wallpaper u:object_r:system_server_service:s0
-webviewupdate u:object_r:system_server_service:s0
-wifip2p u:object_r:system_server_service:s0
-wifiscanner u:object_r:system_server_service:s0
-wifi u:object_r:system_server_service:s0
-window u:object_r:system_server_service:s0
-
+telephony.registry u:object_r:registry_service:s0
+textservices u:object_r:textservices_service:s0
+trust u:object_r:trust_service:s0
+tv_input u:object_r:tv_input_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+vibrator u:object_r:vibrator_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/shared_relro.te b/shared_relro.te
index 8ad53d344907a41000d44abf2e5742abb43dadc5..c4443824cd6541f3374f8831e2c6b066446981a1 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -11,3 +11,4 @@ allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro system_server_service:service_manager find;
+allow shared_relro tmp_system_server_service:service_manager find;
diff --git a/shell.te b/shell.te
index a69d47561362d2360234bf530c26c4109fd9579d..af4ce0c29561a1499336135ee1b0b4e8cf1e622c 100644
--- a/shell.te
+++ b/shell.te
@@ -48,6 +48,7 @@ allow shell debug_prop:property_service set;
allow shell powerctl_prop:property_service set;
allow shell system_server_service:service_manager find;
+allow shell tmp_system_server_service:service_manager find;
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 02cb43310defbe0072733ac3b19d22fb4a1833d4..f0eeec3c8b22e22930a6d09d94880c13454d6bc8 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -62,6 +62,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger system_server_service:service_manager find;
+allow surfaceflinger tmp_system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index 8f70185bb282f37dcc926315b68334327e4ccdd1..a445e574d19f21f35024a9f8573c31be9fc9e785 100644
--- a/system_app.te
+++ b/system_app.te
@@ -55,6 +55,7 @@ allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
+allow system_app tmp_system_server_service:service_manager find;
allow system_app keystore:keystore_key {
test
diff --git a/system_server.te b/system_server.te
index 9dc1e90c8cb200211ab452043cd2afbe6b514615..6199eb73188e4bc09c70664be0de7ca545c0ea8f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -370,6 +370,7 @@ allow system_server mediaserver_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
+allow system_server tmp_system_server_service:service_manager { add find };
# TODO: Remove. Make up for previously lacking auditing.
allow system_server service_manager_type:service_manager find;
@@ -383,6 +384,17 @@ auditallow system_server {
-surfaceflinger_service
}:service_manager find;
+# address tmp_system_server_service accesses
+allow system_server dreams_service:service_manager find;
+allow system_server mount_service:service_manager find;
+
+service_manager_local_audit_domain(system_server)
+auditallow system_server {
+ tmp_system_server_service
+ -dreams_service
+ -mount_service
+}:service_manager find;
+
allow system_server keystore:keystore_key {
test
get
diff --git a/te_macros b/te_macros
index b665f3ff00dacbef2ac6d8281df4c3bc711abd08..1efe15f4118ec238fd68ffc350778dea2100c99b 100644
--- a/te_macros
+++ b/te_macros
@@ -109,7 +109,6 @@ typeattribute $1 appdomain;
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-service_manager_local_audit_domain($1)
')
#####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index e558076018411b0995c6c8fcf4c325508c124da2..40dc8cb780af4fa7f3e43bb9f3ec76fb6c9e188b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -70,6 +70,65 @@ allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app system_server_service:service_manager find;
+allow untrusted_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+service_manager_local_audit_domain(untrusted_app)
+allow untrusted_app accessibility_service:service_manager find;
+allow untrusted_app account_service:service_manager find;
+allow untrusted_app activity_service:service_manager find;
+allow untrusted_app appops_service:service_manager find;
+allow untrusted_app appwidget_service:service_manager find;
+allow untrusted_app assetatlas_service:service_manager find;
+allow untrusted_app audio_service:service_manager find;
+allow untrusted_app bluetooth_manager_service:service_manager find;
+allow untrusted_app connectivity_service:service_manager find;
+allow untrusted_app content_service:service_manager find;
+allow untrusted_app device_policy_service:service_manager find;
+allow untrusted_app display_service:service_manager find;
+allow untrusted_app dropbox_service:service_manager find;
+allow untrusted_app input_method_service:service_manager find;
+allow untrusted_app input_service:service_manager find;
+allow untrusted_app jobscheduler_service:service_manager find;
+allow untrusted_app notification_service:service_manager find;
+allow untrusted_app persistent_data_block_service:service_manager find;
+allow untrusted_app power_service:service_manager find;
+allow untrusted_app registry_service:service_manager find;
+allow untrusted_app textservices_service:service_manager find;
+allow untrusted_app trust_service:service_manager find;
+allow untrusted_app user_service:service_manager find;
+allow untrusted_app webviewupdate_service:service_manager find;
+allow untrusted_app wifi_service:service_manager find;
+
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+ tmp_system_server_service
+ -accessibility_service
+ -account_service
+ -activity_service
+ -appops_service
+ -appwidget_service
+ -assetatlas_service
+ -audio_service
+ -bluetooth_manager_service
+ -connectivity_service
+ -content_service
+ -device_policy_service
+ -display_service
+ -dropbox_service
+ -input_method_service
+ -input_service
+ -jobscheduler_service
+ -notification_service
+ -persistent_data_block_service
+ -power_service
+ -registry_service
+ -textservices_service
+ -trust_service
+ -user_service
+ -webviewupdate_service
+ -wifi_service
+}:service_manager find;
###
### neverallow rules