From 566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 16 Jan 2015 17:27:25 -0800
Subject: [PATCH] Record service accesses.
Reduce logspam and record further observed service connections.
Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
---
platform_app.te | 39 +++++++++++++++++++++++++-----------
radio.te | 14 +++++++++++++
surfaceflinger.te | 7 ++-----
system_app.te | 12 ++++--------
system_server.te | 50 ++++++++++++++++++++++++++++++++++++-----------
untrusted_app.te | 39 ++----------------------------------
6 files changed, 89 insertions(+), 72 deletions(-)
diff --git a/platform_app.te b/platform_app.te
index d98442e5d..61cc75729 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -35,25 +35,42 @@ allow platform_app surfaceflinger_service:service_manager find;
allow platform_app system_server_service:service_manager find;
allow platform_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow platform_app {
- activity_service
- connectivity_service
- display_service
- dropbox_service
- input_service
- lock_settings_service
- mount_service
-}:service_manager find;
-
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
+ -accessibility_service
-activity_service
+ -appops_service
+ -appwidget_service
+ -assetatlas_service
+ -audio_service
+ -batterystats_service
+ -bluetooth_manager_service
-connectivity_service
+ -content_service
+ -device_policy_service
-display_service
+ -dreams_service
-dropbox_service
+ -fingerprint_service
+ -input_method_service
-input_service
-lock_settings_service
+ -media_projection_service
+ -media_router_service
+ -media_session_service
-mount_service
+ -netpolicy_service
+ -netstats_service
+ -network_management_service
+ -notification_service
+ -power_service
+ -registry_service
+ -search_service
+ -statusbar_service
+ -trust_service
+ -user_service
+ -vibrator_service
+ -wallpaper_service
+ -wifi_service
}:service_manager find;
\ No newline at end of file
diff --git a/radio.te b/radio.te
index 2b63cd959..f18f46219 100644
--- a/radio.te
+++ b/radio.te
@@ -36,3 +36,17 @@ allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio system_server_service:service_manager find;
allow radio tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(radio)
+auditallow radio {
+ tmp_system_server_service
+ -activity_service
+ -appops_service
+ -connectivity_service
+ -content_service
+ -display_service
+ -dropbox_service
+ -network_management_service
+ -power_service
+ -registry_service
+}:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 00948cff2..a6ba5d966 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -64,15 +64,12 @@ allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger system_server_service:service_manager find;
allow surfaceflinger tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow surfaceflinger {
- power_service
-}:service_manager find;
-
service_manager_local_audit_domain(surfaceflinger)
auditallow surfaceflinger {
tmp_system_server_service
+ -permission_service
-power_service
+ -window_service
}:service_manager find;
###
diff --git a/system_app.te b/system_app.te
index 12a51952e..1c50dff9e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,21 +57,17 @@ allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
allow system_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow system_app {
- activity_service
- connectivity_service
- display_service
- dropbox_service
-}:service_manager find;
-
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
+ -accessibility_service
-activity_service
+ -appops_service
-connectivity_service
-display_service
-dropbox_service
+ -network_management_service
+ -user_service
}:service_manager find;
allow system_app keystore:keystore_key {
diff --git a/system_server.te b/system_server.te
index 73ff33ced..aaa0657a3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -386,27 +386,55 @@ auditallow system_server {
-tmp_system_server_service
}:service_manager find;
-# address tmp_system_server_service accesses
-allow system_server {
- account_service
- backup_service
- dreams_service
- mount_service
- package_service
- wallpaper_service
- wifi_service
-}:service_manager find;
-
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
+ -accessibility_service
-account_service
+ -activity_service
+ -alarm_service
+ -appops_service
+ -assetatlas_service
+ -audio_service
-backup_service
+ -batterystats_service
+ -bluetooth_manager_service
+ -connectivity_service
+ -content_service
+ -device_policy_service
+ -display_service
-dreams_service
+ -dropbox_service
+ -ethernet_service
+ -hdmi_control_service
+ -input_method_service
+ -input_service
+ -jobscheduler_service
+ -location_service
+ -lock_settings_service
+ -media_router_service
+ -media_session_service
-mount_service
+ -network_management_service
+ -network_score_service
+ -notification_service
-package_service
+ -power_service
+ -registry_service
+ -sensorservice_service
+ -statusbar_service
+ -textservices_service
+ -trust_service
+ -uimode_service
+ -updatelock_service
+ -usagestats_service
+ -user_service
+ -vibrator_service
-wallpaper_service
+ -webviewupdate_service
-wifi_service
+ -wifip2p_service
+ -window_service
}:service_manager find;
allow system_server keystore:keystore_key {
diff --git a/untrusted_app.te b/untrusted_app.te
index 18d71cdfa..ceb70f28c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,43 +72,6 @@ allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app system_server_service:service_manager find;
allow untrusted_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app {
- accessibility_service
- account_service
- activity_service
- appops_service
- appwidget_service
- assetatlas_service
- audio_service
- backup_service
- batterystats_service
- bluetooth_manager_service
- connectivity_service
- content_service
- device_policy_service
- display_service
- dropbox_service
- input_method_service
- input_service
- jobscheduler_service
- location_service
- mount_service
- netstats_service
- network_score_service
- notification_service
- persistent_data_block_service
- power_service
- registry_service
- textservices_service
- trust_service
- uimode_service
- user_service
- webviewupdate_service
- wifi_service
-}:service_manager find;
-
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
@@ -133,6 +96,7 @@ auditallow untrusted_app {
-location_service
-mount_service
-netstats_service
+ -network_management_service
-network_score_service
-notification_service
-persistent_data_block_service
@@ -142,6 +106,7 @@ auditallow untrusted_app {
-trust_service
-uimode_service
-user_service
+ -vibrator_service
-webviewupdate_service
-wifi_service
}:service_manager find;
--
GitLab