Record service accesses.

Reduce logspam and record further observed service connections. Bug: 18106000 Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8

Record service accesses.
566e8fe2 · dcashman · 7d1deec4 · 566e8fe2 · 566e8fe2 · 566e8fe2
Commit 566e8fe2 authored 10 years ago by dcashman
--- a/platform_app.te
+++ b/platform_app.te
@@ -35,25 +35,42 @@ allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow platform_app {
-    activity_service
-    connectivity_service
-    display_service
-    dropbox_service
-    input_service
-    lock_settings_service
-    mount_service
-}:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
    tmp_system_server_service
+    -accessibility_service
    -activity_service
+    -appops_service
+    -appwidget_service
+    -assetatlas_service
+    -audio_service
+    -batterystats_service
+    -bluetooth_manager_service
    -connectivity_service
+    -content_service
+    -device_policy_service
    -display_service
+    -dreams_service
    -dropbox_service
+    -fingerprint_service
+    -input_method_service
    -input_service
    -lock_settings_service
+    -media_projection_service
+    -media_router_service
+    -media_session_service
    -mount_service
+    -netpolicy_service
+    -netstats_service
+    -network_management_service
+    -notification_service
+    -power_service
+    -registry_service
+    -search_service
+    -statusbar_service
+    -trust_service
+    -user_service
+    -vibrator_service
+    -wallpaper_service
+    -wifi_service
 }:service_manager find;
\ No newline at end of file
--- a/radio.te
+++ b/radio.te
@@ -36,3 +36,17 @@ allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+service_manager_local_audit_domain(radio)
+auditallow radio {
+    tmp_system_server_service
+    -activity_service
+    -appops_service
+    -connectivity_service
+    -content_service
+    -display_service
+    -dropbox_service
+    -network_management_service
+    -power_service
+    -registry_service
+}:service_manager find;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -64,15 +64,12 @@ allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow surfaceflinger {
-    power_service
-}:service_manager find;
 service_manager_local_audit_domain(surfaceflinger)
 auditallow surfaceflinger {
    tmp_system_server_service
+    -permission_service
    -power_service
+    -window_service
 }:service_manager find;
 ###

--- a/system_app.te
+++ b/system_app.te
@@ -57,21 +57,17 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-allow system_app {
-    activity_service
-    connectivity_service
-    display_service
-    dropbox_service
-}:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    tmp_system_server_service
+    -accessibility_service
    -activity_service
+    -appops_service
    -connectivity_service
    -display_service
    -dropbox_service
+    -network_management_service
+    -user_service
 }:service_manager find;
 allow system_app keystore:keystore_key {

--- a/system_server.te
+++ b/system_server.te
@@ -386,27 +386,55 @@ auditallow system_server {
    -tmp_system_server_service
 }:service_manager find;
-# address tmp_system_server_service accesses
-allow system_server {
-    account_service
-    backup_service
-    dreams_service
-    mount_service
-    package_service
-    wallpaper_service
-    wifi_service
-}:service_manager find;
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
    tmp_system_server_service
+    -accessibility_service
    -account_service
+    -activity_service
+    -alarm_service
+    -appops_service
+    -assetatlas_service
+    -audio_service
    -backup_service
+    -batterystats_service
+    -bluetooth_manager_service
+    -connectivity_service
+    -content_service
+    -device_policy_service
+    -display_service
    -dreams_service
+    -dropbox_service
+    -ethernet_service
+    -hdmi_control_service
+    -input_method_service
+    -input_service
+    -jobscheduler_service
+    -location_service
+    -lock_settings_service
+    -media_router_service
+    -media_session_service
    -mount_service
+    -network_management_service
+    -network_score_service
+    -notification_service
    -package_service
+    -power_service
+    -registry_service
+    -sensorservice_service
+    -statusbar_service
+    -textservices_service
+    -trust_service
+    -uimode_service
+    -updatelock_service
+    -usagestats_service
+    -user_service
+    -vibrator_service
    -wallpaper_service
+    -webviewupdate_service
    -wifi_service
+    -wifip2p_service
+    -window_service
 }:service_manager find;
 allow system_server keystore:keystore_key {

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,43 +72,6 @@ allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
-# address tmp_system_server_service accesses
-service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app {
-    accessibility_service
-    account_service
-    activity_service
-    appops_service
-    appwidget_service
-    assetatlas_service
-    audio_service
-    backup_service
-    batterystats_service
-    bluetooth_manager_service
-    connectivity_service
-    content_service
-    device_policy_service
-    display_service
-    dropbox_service
-    input_method_service
-    input_service
-    jobscheduler_service
-    location_service
-    mount_service
-    netstats_service
-    network_score_service
-    notification_service
-    persistent_data_block_service
-    power_service
-    registry_service
-    textservices_service
-    trust_service
-    uimode_service
-    user_service
-    webviewupdate_service
-    wifi_service
-}:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    tmp_system_server_service
@@ -133,6 +96,7 @@ auditallow untrusted_app {
    -location_service
    -mount_service
    -netstats_service
+    -network_management_service
    -network_score_service
    -notification_service
    -persistent_data_block_service
@@ -142,6 +106,7 @@ auditallow untrusted_app {
    -trust_service
    -uimode_service
    -user_service
+    -vibrator_service
    -webviewupdate_service
    -wifi_service
 }:service_manager find;