Merge "Add system_api_service and app_api_service attributes."

attributes

@@ -44,6 +44,13 @@ attribute property_type;
 
 # All service_manager types formerly given system_server_service type
 attribute tmp_system_server_service;
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
 
 # All types used for services managed by service_manager.
 attribute service_manager_type;

bluetooth.te

@@ -53,8 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth system_server_service:service_manager find;
 allow bluetooth tmp_system_server_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
 
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {

drmserver.te

@@ -50,7 +50,6 @@ allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;
 
 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(drmserver)

mediaserver.te

@@ -80,7 +80,6 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 

nfc.te

@@ -23,8 +23,9 @@ allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
-allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
 
 service_manager_local_audit_domain(nfc)
 auditallow nfc {

platform_app.te

@@ -32,8 +32,9 @@ allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {

radio.te

@@ -34,8 +34,9 @@ allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
-allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
 
 service_manager_local_audit_domain(radio)
 auditallow radio {

service.te

@@ -10,8 +10,6 @@ type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
 
-type system_server_service,     service_manager_type;
-
 # system_server_services broken down
 type accessibility_service, tmp_system_server_service, service_manager_type;
 type account_service, tmp_system_server_service, service_manager_type;
@@ -27,31 +25,31 @@ type battery_service, tmp_system_server_service, service_manager_type;
 type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
 type clipboard_service, tmp_system_server_service, service_manager_type;
 type IMms_service, tmp_system_server_service, service_manager_type;
-type IProxyService_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, system_api_service, system_server_service, service_manager_type;
 type commontime_management_service, tmp_system_server_service, service_manager_type;
 type connectivity_service, tmp_system_server_service, service_manager_type;
-type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
 type content_service, tmp_system_server_service, service_manager_type;
 type country_detector_service, tmp_system_server_service, service_manager_type;
-type cpuinfo_service, tmp_system_server_service, service_manager_type;
-type dbinfo_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, tmp_system_server_service, service_manager_type;
 type deviceidle_service, tmp_system_server_service, service_manager_type;
-type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, tmp_system_server_service, service_manager_type;
 type display_service, tmp_system_server_service, service_manager_type;
-type DockObserver_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, tmp_system_server_service, service_manager_type;
 type dropbox_service, tmp_system_server_service, service_manager_type;
 type ethernet_service, tmp_system_server_service, service_manager_type;
 type fingerprint_service, tmp_system_server_service, service_manager_type;
-type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, tmp_system_server_service, service_manager_type;
 type hardware_service, tmp_system_server_service, service_manager_type;
 type hdmi_control_service, tmp_system_server_service, service_manager_type;
 type input_method_service, tmp_system_server_service, service_manager_type;
 type input_service, tmp_system_server_service, service_manager_type;
-type imms_service, tmp_system_server_service, service_manager_type;
+type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;
 type location_service, tmp_system_server_service, service_manager_type;
@@ -59,8 +57,8 @@ type lock_settings_service, tmp_system_server_service, service_manager_type;
 type media_projection_service, tmp_system_server_service, service_manager_type;
 type media_router_service, tmp_system_server_service, service_manager_type;
 type media_session_service, tmp_system_server_service, service_manager_type;
-type meminfo_service, tmp_system_server_service, service_manager_type;
-type midi_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, tmp_system_server_service, service_manager_type;
 type netpolicy_service, tmp_system_server_service, service_manager_type;
 type netstats_service, tmp_system_server_service, service_manager_type;
@@ -76,7 +74,7 @@ type processinfo_service, tmp_system_server_service, service_manager_type;
 type procstats_service, tmp_system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
-type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, tmp_system_server_service, service_manager_type;
 type search_service, tmp_system_server_service, service_manager_type;
 type sensorservice_service, tmp_system_server_service, service_manager_type;
@@ -86,8 +84,9 @@ type statusbar_service, tmp_system_server_service, service_manager_type;
 type task_service, tmp_system_server_service, service_manager_type;
 type registry_service, tmp_system_server_service, service_manager_type;
 type textservices_service, tmp_system_server_service, service_manager_type;
+type telecom_service, tmp_system_server_service, service_manager_type;
 type trust_service, tmp_system_server_service, service_manager_type;
-type tv_input_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, app_api_service, system_server_service, service_manager_type;
 type uimode_service, tmp_system_server_service, service_manager_type;
 type updatelock_service, tmp_system_server_service, service_manager_type;
 type usagestats_service, tmp_system_server_service, service_manager_type;
@@ -98,6 +97,6 @@ type voiceinteraction_service, tmp_system_server_service, service_manager_type;
 type wallpaper_service, tmp_system_server_service, service_manager_type;
 type webviewupdate_service, tmp_system_server_service, service_manager_type;
 type wifip2p_service, tmp_system_server_service, service_manager_type;
-type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, tmp_system_server_service, service_manager_type;
 type window_service, tmp_system_server_service, service_manager_type;

service_contexts

@@ -106,7 +106,7 @@ sip                                       u:object_r:radio_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0
-telecom                                   u:object_r:system_server_service:s0
+telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
 textservices                              u:object_r:textservices_service:s0
 trust                                     u:object_r:trust_service:s0

shared_relro.te

@@ -10,7 +10,6 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
 
 # Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(shared_relro)

surfaceflinger.te

@@ -61,7 +61,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(surfaceflinger)

system_app.te

@@ -53,8 +53,9 @@ allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
-allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
+allow system_app app_api_service:service_manager find;
+allow system_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(system_app)
 auditallow system_app {

untrusted_app.te

@@ -81,8 +81,11 @@ allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
+allow untrusted_app app_api_service:service_manager find;
+
+# TODO: remove this once priv-apps are no longer running in untrusted_app
+allow untrusted_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {