From 603bc2050959dd353154bf33fa0c2b0612da9c6e Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Fri, 18 Jul 2014 09:24:13 -0700
Subject: [PATCH] Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
---
bluetooth.te | 1 +
drmserver.te | 6 +++++-
dumpstate.te | 15 +++++++++++++++
isolated_app.te | 7 ++++++-
nfc.te | 1 +
radio.te | 1 +
system_app.te | 2 ++
untrusted_app.te | 1 +
8 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/bluetooth.te b/bluetooth.te
index 8ba56b0e2..56fe17058 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,7 @@ service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
service_manager_type
-bluetooth_service
+ -radio_service
-system_server_service
}:service_manager find;
diff --git a/drmserver.te b/drmserver.te
index 12e3ac7c8..14b2f4936 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -49,4 +49,8 @@ allow drmserver drmserver_service:service_manager add;
# Audited locally.
service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
+auditallow drmserver {
+ service_manager_type
+ -drmserver_service
+ -system_server_service
+}:service_manager find;
diff --git a/dumpstate.te b/dumpstate.te
index 279fd98fb..242cb9326 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -96,3 +96,18 @@ control_logd(dumpstate)
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+ service_manager_type
+ -drmserver_service
+ -healthd_service
+ -inputflinger_service
+ -keystore_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -system_app_service
+ -system_server_service
+}:service_manager find;
diff --git a/isolated_app.te b/isolated_app.te
index 27b0e40c0..5929b2593 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,4 +21,9 @@ allow isolated_app app_data_file:file execute;
# Audited locally.
service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
+auditallow isolated_app {
+ service_manager_type
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/nfc.te b/nfc.te
index c32e9d597..2b851a276 100644
--- a/nfc.te
+++ b/nfc.te
@@ -21,5 +21,6 @@ service_manager_local_audit_domain(nfc)
auditallow nfc {
service_manager_type
-mediaserver_service
+ -surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/radio.te b/radio.te
index 11691cb52..5f45df33c 100644
--- a/radio.te
+++ b/radio.te
@@ -35,5 +35,6 @@ auditallow radio {
service_manager_type
-mediaserver_service
-radio_service
+ -surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/system_app.te b/system_app.te
index 24b135e5d..5a5888f2f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -69,7 +69,9 @@ control_logd(system_app)
service_manager_local_audit_domain(system_app)
auditallow system_app {
service_manager_type
+ -keystore_service
-nfc_service
+ -radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/untrusted_app.te b/untrusted_app.te
index ef7f1b5f9..c97b4513b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -69,6 +69,7 @@ service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
service_manager_type
-drmserver_service
+ -keystore_service
-mediaserver_service
-nfc_service
-radio_service
--
GitLab