Add system_api_service and app_api_service attributes.

System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b

Add system_api_service and app_api_service attributes.
d12993f0 · dcashman · b62b2020 · d12993f0 · d12993f0 · d12993f0
Commit d12993f0 authored 9 years ago by dcashman
--- a/attributes
+++ b/attributes
@@ -44,6 +44,13 @@ attribute property_type;

 # All service_manager types formerly given system_server_service type
 attribute tmp_system_server_service;
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which export only system_api
+attribute system_api_service;

 # All types used for services managed by service_manager.
 attribute service_manager_type;

--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,8 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth system_server_service:service_manager find;
 allow bluetooth tmp_system_server_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;

 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {

--- a/drmserver.te
+++ b/drmserver.te
@@ -50,7 +50,6 @@ allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;

 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(drmserver)

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,7 +80,6 @@ allow mediaserver tee:unix_stream_socket connectto;

 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;


--- a/nfc.te
+++ b/nfc.te
@@ -23,8 +23,9 @@ allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
-allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;

 service_manager_local_audit_domain(nfc)
 auditallow nfc {

--- a/platform_app.te
+++ b/platform_app.te
@@ -32,8 +32,9 @@ allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;

 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {

--- a/radio.te
+++ b/radio.te
@@ -34,8 +34,9 @@ allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
-allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;

 service_manager_local_audit_domain(radio)
 auditallow radio {

--- a/service.te
+++ b/service.te
@@ -10,8 +10,6 @@ type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;

-type system_server_service,     service_manager_type;
-
 # system_server_services broken down
 type accessibility_service, tmp_system_server_service, service_manager_type;
 type account_service, tmp_system_server_service, service_manager_type;
@@ -27,31 +25,31 @@ type battery_service, tmp_system_server_service, service_manager_type;
 type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
 type clipboard_service, tmp_system_server_service, service_manager_type;
 type IMms_service, tmp_system_server_service, service_manager_type;
-type IProxyService_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, system_api_service, system_server_service, service_manager_type;
 type commontime_management_service, tmp_system_server_service, service_manager_type;
 type connectivity_service, tmp_system_server_service, service_manager_type;
-type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
 type content_service, tmp_system_server_service, service_manager_type;
 type country_detector_service, tmp_system_server_service, service_manager_type;
-type cpuinfo_service, tmp_system_server_service, service_manager_type;
-type dbinfo_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, tmp_system_server_service, service_manager_type;
 type deviceidle_service, tmp_system_server_service, service_manager_type;
-type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, tmp_system_server_service, service_manager_type;
 type display_service, tmp_system_server_service, service_manager_type;
-type DockObserver_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, tmp_system_server_service, service_manager_type;
 type dropbox_service, tmp_system_server_service, service_manager_type;
 type ethernet_service, tmp_system_server_service, service_manager_type;
 type fingerprint_service, tmp_system_server_service, service_manager_type;
-type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, tmp_system_server_service, service_manager_type;
 type hardware_service, tmp_system_server_service, service_manager_type;
 type hdmi_control_service, tmp_system_server_service, service_manager_type;
 type input_method_service, tmp_system_server_service, service_manager_type;
 type input_service, tmp_system_server_service, service_manager_type;
-type imms_service, tmp_system_server_service, service_manager_type;
+type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;
 type location_service, tmp_system_server_service, service_manager_type;
@@ -59,8 +57,8 @@ type lock_settings_service, tmp_system_server_service, service_manager_type;
 type media_projection_service, tmp_system_server_service, service_manager_type;
 type media_router_service, tmp_system_server_service, service_manager_type;
 type media_session_service, tmp_system_server_service, service_manager_type;
-type meminfo_service, tmp_system_server_service, service_manager_type;
-type midi_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, tmp_system_server_service, service_manager_type;
 type netpolicy_service, tmp_system_server_service, service_manager_type;
 type netstats_service, tmp_system_server_service, service_manager_type;
@@ -76,7 +74,7 @@ type processinfo_service, tmp_system_server_service, service_manager_type;
 type procstats_service, tmp_system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
-type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, tmp_system_server_service, service_manager_type;
 type search_service, tmp_system_server_service, service_manager_type;
 type sensorservice_service, tmp_system_server_service, service_manager_type;
@@ -86,8 +84,9 @@ type statusbar_service, tmp_system_server_service, service_manager_type;
 type task_service, tmp_system_server_service, service_manager_type;
 type registry_service, tmp_system_server_service, service_manager_type;
 type textservices_service, tmp_system_server_service, service_manager_type;
+type telecom_service, tmp_system_server_service, service_manager_type;
 type trust_service, tmp_system_server_service, service_manager_type;
-type tv_input_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, app_api_service, system_server_service, service_manager_type;
 type uimode_service, tmp_system_server_service, service_manager_type;
 type updatelock_service, tmp_system_server_service, service_manager_type;
 type usagestats_service, tmp_system_server_service, service_manager_type;
@@ -98,6 +97,6 @@ type voiceinteraction_service, tmp_system_server_service, service_manager_type;
 type wallpaper_service, tmp_system_server_service, service_manager_type;
 type webviewupdate_service, tmp_system_server_service, service_manager_type;
 type wifip2p_service, tmp_system_server_service, service_manager_type;
-type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, tmp_system_server_service, service_manager_type;
 type window_service, tmp_system_server_service, service_manager_type;
--- a/service_contexts
+++ b/service_contexts
@@ -106,7 +106,7 @@ sip                                       u:object_r:radio_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0
-telecom                                   u:object_r:system_server_service:s0
+telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
 textservices                              u:object_r:textservices_service:s0
 trust                                     u:object_r:trust_service:s0

--- a/shared_relro.te
+++ b/shared_relro.te
@@ -10,7 +10,6 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;

 # Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(shared_relro)

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -61,7 +61,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;

 service_manager_local_audit_domain(surfaceflinger)

--- a/system_app.te
+++ b/system_app.te
@@ -53,8 +53,9 @@ allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
-allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
+allow system_app app_api_service:service_manager find;
+allow system_app system_api_service:service_manager find;

 service_manager_local_audit_domain(system_app)
 auditallow system_app {

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,8 +81,11 @@ allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
+allow untrusted_app app_api_service:service_manager find;
+
+# TODO: remove this once priv-apps are no longer running in untrusted_app
+allow untrusted_app system_api_service:service_manager find;

 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {