diff --git a/adbd.te b/adbd.te
index c21e70331a4716ad3ce7ef9210f6e005230efbcc..f5cebd26958bae06a3bcde0a30260414f84972a5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -79,8 +79,4 @@ allow adbd system_file:file r_file_perms;
allow adbd kernel:security read_policy;
-service_manager_local_audit_domain(adbd)
-auditallow adbd {
- service_manager_type
- -surfaceflinger_service
-}:service_manager find;
+allow adbd surfaceflinger_service:service_manager find;
diff --git a/bluetooth.te b/bluetooth.te
index 56fe17058c4cc95a6c417016eda2a68bc669cc60..d6adc3b492752cc7189e54cd9a2a932527a97536 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,14 +49,9 @@ allow bluetooth bluetooth_prop:property_service set;
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
-# Audited locally.
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
- service_manager_type
- -bluetooth_service
- -radio_service
- -system_server_service
-}:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/bootanim.te b/bootanim.te
index e0e25b9672b31ff903b20add3e26f5726ea99f81..dd1e57a4daf5043f79d60c39aaaed76a881c5aa1 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -16,6 +16,4 @@ allow bootanim oemfs:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(bootanim)
-auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
diff --git a/domain.te b/domain.te
index 243c992f32f2100c63ce50d1c48bcfba75930e07..52920a72d9d52ed5243cede416cb1f5bff58f6ec 100644
--- a/domain.te
+++ b/domain.te
@@ -165,11 +165,6 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-allow domain servicemanager:service_manager list;
-auditallow { domain -dumpstate } servicemanager:service_manager list;
-allow domain service_manager_type:service_manager find;
-auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
-
###
### neverallow rules
###
diff --git a/drmserver.te b/drmserver.te
index ba7e62fc28f572a1cb96841a7fca07d9c9377400..37edbfe9af453a1c52c81769c7599479c47c2c6c 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -45,18 +45,11 @@ allow drmserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
-allow drmserver drmserver_service:service_manager add;
-
# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
- service_manager_type
- -drmserver_service
- -system_server_service
-}:service_manager find;
+allow drmserver drmserver_service:service_manager { add find };
+allow drmserver system_server_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index e5ccb562da57be1ee8538b1333be98b9f0ef1601..df1506702c5ee0ae713664ae8ece59bb95d2fad4 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -106,17 +106,15 @@ allow dumpstate tombstone_data_file:file r_file_perms;
# Access /system/bin executables to determine type of executable.
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
-service_manager_local_audit_domain(dumpstate)
-auditallow dumpstate {
- service_manager_type
- -drmserver_service
- -healthd_service
- -inputflinger_service
- -keystore_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_app_service
- -system_server_service
+allow dumpstate {
+ drmserver_service
+ healthd_service
+ inputflinger_service
+ keystore_service
+ mediaserver_service
+ nfc_service
+ radio_service
+ surfaceflinger_service
+ system_app_service
+ system_server_service
}:service_manager find;
diff --git a/healthd.te b/healthd.te
index 3cb69bf8eda643d1eadab3989e9fe653c313b86b..2ea825c8f36fc15b996d39e354dd7631cfb4a35e 100644
--- a/healthd.te
+++ b/healthd.te
@@ -38,11 +38,7 @@ allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
-allow healthd healthd_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(healthd)
-auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+allow healthd healthd_service:service_manager { add find };
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
diff --git a/inputflinger.te b/inputflinger.te
index 4377a104f833fff9bddcae4ffdbf26f5b0496bde..0a8dd9023a90dc71886069ce68ed121aea5e0450 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,8 +8,4 @@ binder_service(inputflinger)
binder_call(inputflinger, system_server)
-allow inputflinger inputflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(inputflinger)
-auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
+allow inputflinger inputflinger_service:service_manager { add find };
diff --git a/isolated_app.te b/isolated_app.te
index 6fc7a99abb81cf61524138184fcd38e0eb1c99db..8c45492935c93fd25a92be8a627961dd9f977e6c 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,11 +21,6 @@ neverallow isolated_app app_data_file:file open;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute };
-# Audited locally.
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app {
- service_manager_type
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow isolated_app radio_service:service_manager find;
+allow isolated_app surfaceflinger_service:service_manager find;
+allow isolated_app system_server_service:service_manager find;
diff --git a/keystore.te b/keystore.te
index 700b99ba0fff02ace0167146acbad1574919f96c..6a89df33a34f0a5e4e5c63c4369534e5b4822b21 100644
--- a/keystore.te
+++ b/keystore.te
@@ -26,11 +26,7 @@ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
-allow keystore keystore_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(keystore)
-auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/mediaserver.te b/mediaserver.te
index 711f4df7e5f2c4dc4a626cf940a25df0bc0be089..54112af2abe232e80d8fe8059cdfa766a0de8fae 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,22 +78,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
-allow mediaserver mediaserver_service:service_manager add;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver system_server_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
- service_manager_type
- -drmserver_service
- -mediaserver_service
- -system_server_service
- -surfaceflinger_service
-}:service_manager find;
-
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
diff --git a/nfc.te b/nfc.te
index 4113d3172a2855921b97ae7adfe187a446c02d2a..ad88bd98fb59ca9363a59e5ea4a1922e5cbff233 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,13 +18,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
- service_manager_type
- -mediaserver_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow nfc surfaceflinger_service:service_manager find;
+allow nfc system_server_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index a44e35d8acb8c87403f05b7ddcdede7d97100d42..d34c9f1fc838e5927a1c3f3fab70d1dcaeba8315 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -28,12 +28,7 @@ allow platform_app media_rw_data_file:file create_file_perms;
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
- service_manager_type
- -mediaserver_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app system_server_service:service_manager find;
diff --git a/radio.te b/radio.te
index e6ffac267fc79a791dd1c2eba340d706e9721a92..9282055f2cc5229aceca8c9b0d9ee3cc820f204e 100644
--- a/radio.te
+++ b/radio.te
@@ -30,14 +30,7 @@ auditallow radio system_radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
-allow radio radio_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(radio)
-auditallow radio {
- service_manager_type
- -mediaserver_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio radio_service:service_manager { add find };
+allow radio surfaceflinger_service:service_manager find;
+allow radio system_server_service:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ff91993ec4d3c14be974ae63850a8a483e094a1c..02cb43310defbe0072733ac3b19d22fb4a1833d4 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,15 +57,11 @@ r_dir_file(surfaceflinger, dumpstate)
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
-allow surfaceflinger surfaceflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
- service_manager_type
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+
+# media.player service
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+allow surfaceflinger system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index fed44d1f6d92cc7d92c2c2316c25741b4a56e8f3..9a91624cfaf5f239ba21a3d13215c1d9c1a47c7f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,7 +48,12 @@ allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+allow system_app keystore_service:service_manager find;
+allow system_app nfc_service:service_manager find;
+allow system_app radio_service:service_manager find;
+allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
+allow system_app system_server_service:service_manager find;
allow system_app keystore:keystore_key {
test
@@ -70,14 +75,3 @@ allow system_app keystore:keystore_key {
};
control_logd(system_app)
-
-# Audited locally.
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
- service_manager_type
- -keystore_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
diff --git a/system_server.te b/system_server.te
index a8348e7202ef2d001a79519bae11474e6a7d9913..9dc1e90c8cb200211ab452043cd2afbe6b514615 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
-allow system_server system_server_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(system_server)
+allow system_server healthd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server system_server_service:service_manager { add find };
+allow system_server surfaceflinger_service:service_manager find;
+
+# TODO: Remove. Make up for previously lacking auditing.
+allow system_server service_manager_type:service_manager find;
+auditallow system_server {
+ service_manager_type
+ -healthd_service
+ -keystore_service
+ -mediaserver_service
+ -radio_service
+ -system_server_service
+ -surfaceflinger_service
+}:service_manager find;
allow system_server keystore:keystore_key {
test
diff --git a/untrusted_app.te b/untrusted_app.te
index 3fd4a40cce5df2813fb17310b4d13e5fd4dbd07b..e558076018411b0995c6c8fcf4c325508c124da2 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -63,18 +63,13 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
- service_manager_type
- -drmserver_service
- -keystore_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow untrusted_app drmserver_service:service_manager find;
+allow untrusted_app keystore_service:service_manager find;
+allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app nfc_service:service_manager find;
+allow untrusted_app radio_service:service_manager find;
+allow untrusted_app surfaceflinger_service:service_manager find;
+allow untrusted_app system_server_service:service_manager find;
###
### neverallow rules