Merge "Remove vndservice_manager object classes." into oc-dev

f8a18d47 · TreeHugger Robot · Android (Google) Code Review · 4f1763ef · 2f1c7ba7 · f8a18d47
Commit f8a18d47 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@ class hwservice_manager
 	list
 }

-class vndservice_manager
-{
-	add
-	find
-	list
-}
-
 class keystore_key
 {
 	get_state

--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@ class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager

-# vendor service manager        # userspace
-class vndservice_manager
-
 # Keystore Key
 class keystore_key              # userspace


--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,7 @@ allow domain default_android_hwservice:hwservice_manager { add find };
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing vndservice_manager_type
 # when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };

 ###
 ### neverallow rules
@@ -914,8 +914,17 @@ neverallow {
 } shell_data_file:file open;


-# servicemanager is the only process which handles list request
-neverallow * ~servicemanager:service_manager list;
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+    servicemanager
+    vndservicemanager
+    }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+    hwservicemanager
+    }:hwservice_manager list;

 # only service_manager_types can be added to service_manager
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@ userdebug_or_eng(`
  dontaudit su property_type:file *;
  dontaudit su service_manager_type:service_manager *;
  dontaudit su hwservice_manager_type:hwservice_manager *;
-  dontaudit su vndservice_manager_type:vndservice_manager *;
+  dontaudit su vndservice_manager_type:service_manager *;
  dontaudit su servicemanager:service_manager list;
  dontaudit su hwservicemanager:hwservice_manager list;
-  dontaudit su vndservicemanager:vndservice_manager list;
+  dontaudit su vndservicemanager:service_manager list;
  dontaudit su keystore:keystore_key *;
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;