From d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 6 Apr 2015 17:27:42 -0700
Subject: [PATCH] Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
---
 bluetooth.te     |  2 --
 nfc.te           |  3 ---
 platform_app.te  |  4 ----
 radio.te         |  4 ----
 service.te       | 19 +++++++++----------
 service_contexts |  1 -
 system_app.te    |  4 ----
 system_server.te |  5 -----
 untrusted_app.te |  7 -------
 9 files changed, 9 insertions(+), 40 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 95307021a..b90e48feb 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,8 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
     -display_service
     -dropbox_service
     -media_session_service
diff --git a/nfc.te b/nfc.te
index 0cfc44724..156aeb703 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,9 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
-    -content_service
     -display_service
     -dropbox_service
     -network_management_service
diff --git a/platform_app.te b/platform_app.te
index 2f1b87cef..0016f2070 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,10 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
-    -content_service
-    -device_policy_service
     -display_service
     -dreams_service
     -dropbox_service
diff --git a/radio.te b/radio.te
index 76ffda767..060c3a612 100644
--- a/radio.te
+++ b/radio.te
@@ -41,10 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
-    -content_service
-    -country_detector_service
     -display_service
     -dropbox_service
     -imms_service
diff --git a/service.te b/service.te
index 2341ff0f1..b4925acdf 100644
--- a/service.te
+++ b/service.te
@@ -22,20 +22,19 @@ type assetatlas_service, app_api_service, system_server_service, service_manager
 type audio_service, app_api_service, system_server_service, service_manager_type;
 type backup_service, system_api_service, system_server_service, service_manager_type;
 type batterystats_service, app_api_service, system_server_service, service_manager_type;
-type battery_service, tmp_system_server_service, service_manager_type;
-type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
-type clipboard_service, tmp_system_server_service, service_manager_type;
-type IMms_service, tmp_system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, system_server_service, service_manager_type;
 type IProxyService_service, system_api_service, system_server_service, service_manager_type;
-type commontime_management_service, tmp_system_server_service, service_manager_type;
-type connectivity_service, tmp_system_server_service, service_manager_type;
+type commontime_management_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, system_server_service, service_manager_type;
 type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
-type content_service, tmp_system_server_service, service_manager_type;
-type country_detector_service, tmp_system_server_service, service_manager_type;
+type content_service, app_api_service, system_server_service, service_manager_type;
+type country_detector_service, system_api_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, tmp_system_server_service, service_manager_type;
-type deviceidle_service, tmp_system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, system_server_service, service_manager_type;
 type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, tmp_system_server_service, service_manager_type;
 type display_service, tmp_system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 003a858f0..49773b779 100644
--- a/service_contexts
+++ b/service_contexts
@@ -17,7 +17,6 @@ bluetooth_manager                         u:object_r:bluetooth_manager_service:s
 bluetooth                                 u:object_r:bluetooth_service:s0
 carrier_config                            u:object_r:radio_service:s0
 clipboard                                 u:object_r:clipboard_service:s0
-com.android.internal.telephony.mms.IMms   u:object_r:IMms_service:s0
 com.android.net.IProxyService             u:object_r:IProxyService_service:s0
 commontime_management                     u:object_r:commontime_management_service:s0
 common_time.clock                        u:object_r:mediaserver_service:s0
diff --git a/system_app.te b/system_app.te
index 565db598e..e55525e41 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
-    -content_service
-    -device_policy_service
     -display_service
     -dreams_service
     -dropbox_service
diff --git a/system_server.te b/system_server.te
index 02acf4e10..38658d4b3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -371,11 +371,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -connectivity_service
-    -content_service
-    -country_detector_service
-    -device_policy_service
     -display_service
     -dreams_service
     -dropbox_service
diff --git a/untrusted_app.te b/untrusted_app.te
index 7026a8438..a139799dd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,13 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -bluetooth_manager_service
-    -clipboard_service
-    -connectivity_service
-    -content_service
-    -country_detector_service
-    -default_android_service
-    -device_policy_service
     -diskstats_service
     -display_service
     -dropbox_service
-- 
GitLab