Merge "update isolated_app service_manager rules"

app.te

@@ -182,9 +182,9 @@ control_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
 
-use_keystore(appdomain)
+use_keystore({ appdomain -isolated_app })
 
 ###
 ### Neverallow rules

isolated_app.te

@@ -15,25 +15,21 @@ app_domain(isolated_app)
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app app_data_file:file { read write getattr };
 
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
-allow isolated_app radio_service:service_manager find;
-allow isolated_app surfaceflinger_service:service_manager find;
-allow isolated_app system_server_service:service_manager find;
-allow isolated_app tmp_system_server_service:service_manager find;
-
-# address tmp_system_server_service accesses
 allow isolated_app activity_service:service_manager find;
-allow isolated_app connectivity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
-allow isolated_app dropbox_service:service_manager find;
 
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app {
-    tmp_system_server_service
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# b/17487348
+# Isolated apps can only access two services,
+# activity_service and display_service
+neverallow isolated_app {
+    service_manager_type
     -activity_service
-    -connectivity_service
     -display_service
-    -dropbox_service
 }:service_manager find;