From b075338d0e335eb2dbd786ae4f8e033e78eeca37 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 3 Apr 2015 14:24:02 -0700
Subject: [PATCH] Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.
Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
---
bluetooth.te | 2 --
mediaserver.te | 4 ++--
nfc.te | 3 ---
platform_app.te | 4 ----
radio.te | 4 ----
service.te | 8 ++++----
system_app.te | 4 ----
system_server.te | 4 ----
untrusted_app.te | 4 ----
9 files changed, 6 insertions(+), 31 deletions(-)
diff --git a/bluetooth.te b/bluetooth.te
index c670b176e..ad44ff1d6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
service_manager_local_audit_domain(bluetooth)
auditallow bluetooth {
tmp_system_server_service
- -activity_service
- -appops_service
-audio_service
-bluetooth_manager_service
-connectivity_service
diff --git a/mediaserver.te b/mediaserver.te
index 77b54a392..6beae0621 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,6 +78,8 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver surfaceflinger_service:service_manager find;
@@ -86,8 +88,6 @@ allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
- -activity_service
- -appops_service
-batterystats_service
-permission_service
-power_service
diff --git a/nfc.te b/nfc.te
index 34e822894..556fd2021 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,9 +30,6 @@ allow nfc system_api_service:service_manager find;
service_manager_local_audit_domain(nfc)
auditallow nfc {
tmp_system_server_service
- -accessibility_service
- -activity_service
- -appops_service
-batterystats_service
-bluetooth_manager_service
-connectivity_service
diff --git a/platform_app.te b/platform_app.te
index d16ea1bae..7dedc5543 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,10 +39,6 @@ allow platform_app system_api_service:service_manager find;
service_manager_local_audit_domain(platform_app)
auditallow platform_app {
tmp_system_server_service
- -accessibility_service
- -account_service
- -activity_service
- -appops_service
-appwidget_service
-assetatlas_service
-audio_service
diff --git a/radio.te b/radio.te
index 19a9aec01..5b158de7e 100644
--- a/radio.te
+++ b/radio.te
@@ -41,10 +41,6 @@ allow radio system_api_service:service_manager find;
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
- -accessibility_service
- -account_service
- -activity_service
- -appops_service
-assetatlas_service
-bluetooth_manager_service
-connectivity_service
diff --git a/service.te b/service.te
index eafe163ca..e0bcc2f5f 100644
--- a/service.te
+++ b/service.te
@@ -11,11 +11,11 @@ type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
# system_server_services broken down
-type accessibility_service, tmp_system_server_service, service_manager_type;
-type account_service, tmp_system_server_service, service_manager_type;
-type activity_service, tmp_system_server_service, service_manager_type;
+type accessibility_service, app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, system_server_service, service_manager_type;
type alarm_service, tmp_system_server_service, service_manager_type;
-type appops_service, tmp_system_server_service, service_manager_type;
+type appops_service, app_api_service, system_server_service, service_manager_type;
type appwidget_service, tmp_system_server_service, service_manager_type;
type assetatlas_service, tmp_system_server_service, service_manager_type;
type audio_service, tmp_system_server_service, service_manager_type;
diff --git a/system_app.te b/system_app.te
index 6e91dd0ea..eebc644a0 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
- -accessibility_service
- -account_service
- -activity_service
- -appops_service
-appwidget_service
-assetatlas_service
-audio_service
diff --git a/system_server.te b/system_server.te
index c80e1859c..644ff05f5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -370,11 +370,7 @@ allow system_server tmp_system_server_service:service_manager { add find };
service_manager_local_audit_domain(system_server)
auditallow system_server {
tmp_system_server_service
- -accessibility_service
- -account_service
- -activity_service
-alarm_service
- -appops_service
-assetatlas_service
-audio_service
-backup_service
diff --git a/untrusted_app.te b/untrusted_app.te
index b090fe468..f0961cbcd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,10 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
service_manager_local_audit_domain(untrusted_app)
auditallow untrusted_app {
tmp_system_server_service
- -accessibility_service
- -account_service
- -activity_service
- -appops_service
-appwidget_service
-assetatlas_service
-audio_service
--
GitLab