From c631ede7dc7cb131b1bdd03ce296eeac53dc9add Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 15 Jan 2015 15:12:18 -0800
Subject: [PATCH] Remove known system_server service accesses from auditing.

Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
---
 platform_app.te  | 16 ++++++++++--
 system_app.te    | 17 +++++++++++++
 system_server.te | 17 +++++++++++--
 untrusted_app.te | 66 ++++++++++++++++++++++++++++++------------------
 4 files changed, 87 insertions(+), 29 deletions(-)

diff --git a/platform_app.te b/platform_app.te
index 3f01769eb..d98442e5d 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,12 +36,24 @@ allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
 
 # address tmp_system_server_service accesses
-allow platform_app input_service:service_manager find;
-allow platform_app lock_settings_service:service_manager find;
+allow platform_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+    input_service
+    lock_settings_service
+    mount_service
+}:service_manager find;
 
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
     -input_service
     -lock_settings_service
+    -mount_service
 }:service_manager find;
\ No newline at end of file
diff --git a/system_app.te b/system_app.te
index a445e574d..12a51952e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
 
+# address tmp_system_server_service accesses
+allow system_app {
+    activity_service
+    connectivity_service
+    display_service
+    dropbox_service
+}:service_manager find;
+
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
+}:service_manager find;
+
 allow system_app keystore:keystore_key {
 	test
 	get
diff --git a/system_server.te b/system_server.te
index 45c493600..73ff33ced 100644
--- a/system_server.te
+++ b/system_server.te
@@ -383,17 +383,30 @@ auditallow system_server {
     -radio_service
     -system_server_service
     -surfaceflinger_service
+    -tmp_system_server_service
 }:service_manager find;
 
 # address tmp_system_server_service accesses
-allow system_server dreams_service:service_manager find;
-allow system_server mount_service:service_manager find;
+allow system_server {
+    account_service
+    backup_service
+    dreams_service
+    mount_service
+    package_service
+    wallpaper_service
+    wifi_service
+}:service_manager find;
 
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
+    -account_service
+    -backup_service
     -dreams_service
     -mount_service
+    -package_service
+    -wallpaper_service
+    -wifi_service
 }:service_manager find;
 
 allow system_server keystore:keystore_key {
diff --git a/untrusted_app.te b/untrusted_app.te
index 40dc8cb78..18d71cdfa 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -74,31 +74,40 @@ allow untrusted_app tmp_system_server_service:service_manager find;
 
 # address tmp_system_server_service accesses
 service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app accessibility_service:service_manager find;
-allow untrusted_app account_service:service_manager find;
-allow untrusted_app activity_service:service_manager find;
-allow untrusted_app appops_service:service_manager find;
-allow untrusted_app appwidget_service:service_manager find;
-allow untrusted_app assetatlas_service:service_manager find;
-allow untrusted_app audio_service:service_manager find;
-allow untrusted_app bluetooth_manager_service:service_manager find;
-allow untrusted_app connectivity_service:service_manager find;
-allow untrusted_app content_service:service_manager find;
-allow untrusted_app device_policy_service:service_manager find;
-allow untrusted_app display_service:service_manager find;
-allow untrusted_app dropbox_service:service_manager find;
-allow untrusted_app input_method_service:service_manager find;
-allow untrusted_app input_service:service_manager find;
-allow untrusted_app jobscheduler_service:service_manager find;
-allow untrusted_app notification_service:service_manager find;
-allow untrusted_app persistent_data_block_service:service_manager find;
-allow untrusted_app power_service:service_manager find;
-allow untrusted_app registry_service:service_manager find;
-allow untrusted_app textservices_service:service_manager find;
-allow untrusted_app trust_service:service_manager find;
-allow untrusted_app user_service:service_manager find;
-allow untrusted_app webviewupdate_service:service_manager find;
-allow untrusted_app wifi_service:service_manager find;
+allow untrusted_app {
+    accessibility_service
+    account_service
+    activity_service
+    appops_service
+    appwidget_service
+    assetatlas_service
+    audio_service
+    backup_service
+    batterystats_service
+    bluetooth_manager_service
+    connectivity_service
+    content_service
+    device_policy_service
+    display_service
+    dropbox_service
+    input_method_service
+    input_service
+    jobscheduler_service
+    location_service
+    mount_service
+    netstats_service
+    network_score_service
+    notification_service
+    persistent_data_block_service
+    power_service
+    registry_service
+    textservices_service
+    trust_service
+    uimode_service
+    user_service
+    webviewupdate_service
+    wifi_service
+}:service_manager find;
 
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
@@ -110,6 +119,8 @@ auditallow untrusted_app {
     -appwidget_service
     -assetatlas_service
     -audio_service
+    -backup_service
+    -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
@@ -119,12 +130,17 @@ auditallow untrusted_app {
     -input_method_service
     -input_service
     -jobscheduler_service
+    -location_service
+    -mount_service
+    -netstats_service
+    -network_score_service
     -notification_service
     -persistent_data_block_service
     -power_service
     -registry_service
     -textservices_service
     -trust_service
+    -uimode_service
     -user_service
     -webviewupdate_service
     -wifi_service
-- 
GitLab