Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:
registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window
Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
diff --git a/attributes b/attributes
index f35c83f..a9b211f 100644
--- a/attributes
+++ b/attributes
@@ -42,8 +42,7 @@
# All types used for property service
attribute property_type;
-# All service_manager types formerly given system_server_service type
-attribute tmp_system_server_service;
+# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps
diff --git a/bluetooth.te b/bluetooth.te
index bc2acef..890c1d9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,17 +53,9 @@
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth tmp_system_server_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
- tmp_system_server_service
- -registry_service
- -user_service
-}:service_manager find;
-
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/domain.te b/domain.te
index 5a3d3c9..87ec2ee 100644
--- a/domain.te
+++ b/domain.te
@@ -166,9 +166,6 @@
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-# log all access to specified system_server services
-auditallow { domain -shell -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
-
###
### neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index 6497101..d269097 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -86,14 +86,8 @@
allow mediaserver permission_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
-allow mediaserver tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
- tmp_system_server_service
- -scheduling_policy_service
-}:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
diff --git a/nfc.te b/nfc.te
index e4a4ccb..8528b4f 100644
--- a/nfc.te
+++ b/nfc.te
@@ -23,19 +23,9 @@
allow nfc nfc_service:service_manager { add find };
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
-allow nfc tmp_system_server_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
- tmp_system_server_service
- -registry_service
- -trust_service
- -user_service
- -vibrator_service
-}:service_manager find;
-
# already open bugreport file descriptors may be shared with
# the nfc process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/platform_app.te b/platform_app.te
index 2943e6c..c152f47 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -33,23 +33,5 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app tmp_system_server_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
-
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
- tmp_system_server_service
- -registry_service
- -search_service
- -sensorservice_service
- -statusbar_service
- -trust_service
- -uimode_service
- -usb_service
- -user_service
- -vibrator_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
-}:service_manager find;
diff --git a/radio.te b/radio.te
index 469f1d9..92f18d2 100644
--- a/radio.te
+++ b/radio.te
@@ -34,16 +34,5 @@
allow radio mediaserver_service:service_manager find;
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
-allow radio tmp_system_server_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
-
-service_manager_local_audit_domain(radio)
-auditallow radio {
- tmp_system_server_service
- -registry_service
- -trust_service
- -user_service
- -vibrator_service
- -wifi_service
-}:service_manager find;
diff --git a/service.te b/service.te
index fa4d56e..be22933 100644
--- a/service.te
+++ b/service.te
@@ -72,31 +72,31 @@
type print_service, app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, tmp_system_server_service, service_manager_type;
-type rttmanager_service, tmp_system_server_service, service_manager_type;
+type registry_service, app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, system_server_service, service_manager_type;
type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, tmp_system_server_service, service_manager_type;
-type search_service, tmp_system_server_service, service_manager_type;
-type sensorservice_service, tmp_system_server_service, service_manager_type;
-type serial_service, tmp_system_server_service, service_manager_type;
-type servicediscovery_service, tmp_system_server_service, service_manager_type;
-type statusbar_service, tmp_system_server_service, service_manager_type;
-type task_service, tmp_system_server_service, service_manager_type;
-type registry_service, tmp_system_server_service, service_manager_type;
-type textservices_service, tmp_system_server_service, service_manager_type;
-type telecom_service, tmp_system_server_service, service_manager_type;
-type trust_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, system_server_service, service_manager_type;
+type trust_service, system_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, tmp_system_server_service, service_manager_type;
-type updatelock_service, tmp_system_server_service, service_manager_type;
-type usagestats_service, tmp_system_server_service, service_manager_type;
-type usb_service, tmp_system_server_service, service_manager_type;
-type user_service, tmp_system_server_service, service_manager_type;
-type vibrator_service, tmp_system_server_service, service_manager_type;
-type voiceinteraction_service, tmp_system_server_service, service_manager_type;
-type wallpaper_service, tmp_system_server_service, service_manager_type;
-type webviewupdate_service, tmp_system_server_service, service_manager_type;
-type wifip2p_service, tmp_system_server_service, service_manager_type;
+type uimode_service, app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, system_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, tmp_system_server_service, service_manager_type;
-type window_service, tmp_system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/shared_relro.te b/shared_relro.te
index c97ab5c..6a1dfd4 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -10,10 +10,4 @@
allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(shared_relro)
-auditallow shared_relro {
- tmp_system_server_service
- -webviewupdate_service
-}:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c83caf2..c85df82 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -63,13 +63,7 @@
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger tmp_system_server_service:service_manager find;
-
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
- tmp_system_server_service
- -window_service
-}:service_manager find;
+allow surfaceflinger window_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index 9b4e29a..895ff71 100644
--- a/system_app.te
+++ b/system_app.te
@@ -53,25 +53,9 @@
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
-allow system_app tmp_system_server_service:service_manager find;
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
- tmp_system_server_service
- -registry_service
- -restrictions_service
- -sensorservice_service
- -textservices_service
- -uimode_service
- -usagestats_service
- -usb_service
- -user_service
- -vibrator_service
- -wifi_service
-}:service_manager find;
-
allow system_app keystore:keystore_key {
test
get
diff --git a/system_server.te b/system_server.te
index cb5d5cb..ac7a7c7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -371,27 +371,6 @@
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
-allow system_server tmp_system_server_service:service_manager { add find };
-
-service_manager_local_audit_domain(system_server)
-auditallow system_server {
- tmp_system_server_service
- -registry_service
- -sensorservice_service
- -statusbar_service
- -textservices_service
- -trust_service
- -uimode_service
- -updatelock_service
- -usagestats_service
- -user_service
- -vibrator_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
- -wifip2p_service
- -window_service
-}:service_manager find;
allow system_server keystore:keystore_key {
test
diff --git a/untrusted_app.te b/untrusted_app.te
index c94092a..5ad8c79 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,7 +81,6 @@
allow untrusted_app nfc_service:service_manager find;
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app tmp_system_server_service:service_manager find;
allow untrusted_app app_api_service:service_manager find;
# TODO: remove this once priv-apps are no longer running in untrusted_app
@@ -90,27 +89,6 @@
# TODO: remove and replace with specific package that accesses this
allow untrusted_app persistent_data_block_service:service_manager find;
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
- tmp_system_server_service
- -registry_service
- -rttmanager_service
- -search_service
- -sensorservice_service
- -statusbar_service
- -textservices_service
- -trust_service
- -uimode_service
- -usagestats_service
- -user_service
- -vibrator_service
- -voiceinteraction_service
- -wallpaper_service
- -webviewupdate_service
- -wifi_service
- -wifip2p_service
-}:service_manager find;
-
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
