Further refined service_manager auditallow statements.

Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0

Further refined service_manager auditallow statements.
603bc205 · Riley Spahn · 26d6371c · 603bc205 · 603bc205 · 603bc205
Commit 603bc205 authored 10 years ago by Riley Spahn
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,7 @@ service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
    service_manager_type
    -bluetooth_service
+    -radio_service
    -system_server_service
 }:service_manager find;

--- a/drmserver.te
+++ b/drmserver.te
@@ -49,4 +49,8 @@ allow drmserver drmserver_service:service_manager add;
 # Audited locally.
 service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
+auditallow drmserver {
+    service_manager_type
+    -drmserver_service
+    -system_server_service
+}:service_manager find;
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -96,3 +96,18 @@ control_logd(dumpstate)
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+    service_manager_type
+    -drmserver_service
+    -healthd_service
+    -inputflinger_service
+    -keystore_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -system_app_service
+    -system_server_service
+}:service_manager find;
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,4 +21,9 @@ allow isolated_app app_data_file:file execute;
 # Audited locally.
 service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
+auditallow isolated_app {
+    service_manager_type
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
--- a/nfc.te
+++ b/nfc.te
@@ -21,5 +21,6 @@ service_manager_local_audit_domain(nfc)
 auditallow nfc {
    service_manager_type
    -mediaserver_service
+    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/radio.te
+++ b/radio.te
@@ -35,5 +35,6 @@ auditallow radio {
    service_manager_type
    -mediaserver_service
    -radio_service
+    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/system_app.te
+++ b/system_app.te
@@ -69,7 +69,9 @@ control_logd(system_app)
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
    service_manager_type
+    -keystore_service
    -nfc_service
+    -radio_service
    -surfaceflinger_service
    -system_server_service
 }:service_manager find;
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -69,6 +69,7 @@ service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
    service_manager_type
    -drmserver_service
+    -keystore_service
    -mediaserver_service
    -nfc_service
    -radio_service