From 91b7c67d1647b2a88b1547cc57b69fc685bbac18 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 7 Apr 2015 15:48:58 -0700
Subject: [PATCH] Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
---
bluetooth.te | 1 -
platform_app.te | 7 -------
radio.te | 1 -
service.te | 20 ++++++++++----------
system_app.te | 4 ----
system_server.te | 7 -------
untrusted_app.te | 11 -----------
7 files changed, 10 insertions(+), 41 deletions(-)
diff --git a/bluetooth.te b/bluetooth.te
index 863cbd877..4f1ef6e55 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,7 +60,6 @@ allow bluetooth system_api_service:service_manager find;
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
- -media_session_service
-network_management_service
-power_service
-registry_service
diff --git a/platform_app.te b/platform_app.te
index 3676c5d3f..89b3a6625 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,13 +39,6 @@ allow platform_app system_api_service:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
- -lock_settings_service
- -media_projection_service
- -media_router_service
- -media_session_service
- -mount_service
- -netpolicy_service
- -netstats_service
-network_management_service
-notification_service
-power_service
diff --git a/radio.te b/radio.te
index f71d02fde..c14e964d6 100644
--- a/radio.te
+++ b/radio.te
@@ -41,7 +41,6 @@ allow radio system_api_service:service_manager find;
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
- -netstats_service
-network_management_service
-notification_service
-power_service
diff --git a/service.te b/service.te
index 451c9d080..bbca5e7bf 100644
--- a/service.te
+++ b/service.te
@@ -50,18 +50,18 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
type input_method_service, app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, tmp_system_server_service, service_manager_type;
-type launcherapps_service, tmp_system_server_service, service_manager_type;
-type location_service, tmp_system_server_service, service_manager_type;
-type lock_settings_service, tmp_system_server_service, service_manager_type;
-type media_projection_service, tmp_system_server_service, service_manager_type;
-type media_router_service, tmp_system_server_service, service_manager_type;
-type media_session_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, tmp_system_server_service, service_manager_type;
-type netpolicy_service, tmp_system_server_service, service_manager_type;
-type netstats_service, tmp_system_server_service, service_manager_type;
+type mount_service, app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, system_server_service, service_manager_type;
+type netstats_service, system_api_service, system_server_service, service_manager_type;
type network_management_service, tmp_system_server_service, service_manager_type;
type network_score_service, tmp_system_server_service, service_manager_type;
type notification_service, tmp_system_server_service, service_manager_type;
diff --git a/system_app.te b/system_app.te
index 7d934d12a..d518e1194 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
- -lock_settings_service
- -media_session_service
- -mount_service
- -netstats_service
-network_management_service
-network_score_service
-notification_service
diff --git a/system_server.te b/system_server.te
index 80e06e834..895bd4464 100644
--- a/system_server.te
+++ b/system_server.te
@@ -372,13 +372,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
- -jobscheduler_service
- -location_service
- -lock_settings_service
- -media_router_service
- -media_session_service
- -mount_service
- -netpolicy_service
-network_management_service
-network_score_service
-notification_service
diff --git a/untrusted_app.te b/untrusted_app.te
index a51c6eaaf..c1135e86b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,17 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
- -healthd_service
- -jobscheduler_service
- -launcherapps_service
- -location_service
- -lock_settings_service
- -media_router_service
- -media_session_service
- -meminfo_service
- -mount_service
- -netpolicy_service
- -netstats_service
-network_management_service
-network_score_service
-notification_service
--
GitLab