Assign app_api_service attribute to services.

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7

9 files changed, 7 insertions, 29 deletions

diff --git a/bluetooth.te b/bluetooth.te
index ad44ff1..9530702 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -60,7 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -audio_service
     -bluetooth_manager_service
     -connectivity_service
     -display_service
diff --git a/mediaserver.te b/mediaserver.te
index 6beae06..835802e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,7 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver surfaceflinger_service:service_manager find;
@@ -88,7 +89,6 @@ allow mediaserver tmp_system_server_service:service_manager find;
 service_manager_local_audit_domain(mediaserver)
 auditallow mediaserver {
     tmp_system_server_service
-    -batterystats_service
     -permission_service
     -power_service
     -processinfo_service
diff --git a/nfc.te b/nfc.te
index 556fd20..0cfc447 100644
--- a/nfc.te
+++ b/nfc.te
@@ -30,7 +30,6 @@ allow nfc system_api_service:service_manager find;
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
     tmp_system_server_service
-    -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
diff --git a/platform_app.te b/platform_app.te
index 7dedc55..2f1b87c 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,10 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -appwidget_service
-    -assetatlas_service
-    -audio_service
-    -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
diff --git a/radio.te b/radio.te
index 5b158de..76ffda7 100644
--- a/radio.te
+++ b/radio.te
@@ -41,7 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -assetatlas_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
diff --git a/service.te b/service.te
index e0bcc2f..a11e641 100644
--- a/service.te
+++ b/service.te
@@ -14,13 +14,13 @@ type system_app_service,        service_manager_type;
 type accessibility_service, app_api_service, system_server_service, service_manager_type;
 type account_service, app_api_service, system_server_service, service_manager_type;
 type activity_service, app_api_service, system_server_service, service_manager_type;
-type alarm_service, tmp_system_server_service, service_manager_type;
+type alarm_service, app_api_service, system_server_service, service_manager_type;
 type appops_service, app_api_service, system_server_service, service_manager_type;
-type appwidget_service, tmp_system_server_service, service_manager_type;
-type assetatlas_service, tmp_system_server_service, service_manager_type;
-type audio_service, tmp_system_server_service, service_manager_type;
-type backup_service, tmp_system_server_service, service_manager_type;
-type batterystats_service, tmp_system_server_service, service_manager_type;
+type appwidget_service, app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, system_server_service, service_manager_type;
+type backup_service, system_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, system_server_service, service_manager_type;
 type battery_service, tmp_system_server_service, service_manager_type;
 type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
 type clipboard_service, tmp_system_server_service, service_manager_type;
diff --git a/system_app.te b/system_app.te
index eebc644..565db59 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -appwidget_service
-    -assetatlas_service
-    -audio_service
-    -backup_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
diff --git a/system_server.te b/system_server.te
index 644ff05..aa0328f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -370,11 +370,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -alarm_service
-    -assetatlas_service
-    -audio_service
-    -backup_service
-    -batterystats_service
     -bluetooth_manager_service
     -connectivity_service
     -content_service
diff --git a/untrusted_app.te b/untrusted_app.te
index f0961cb..7026a84 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -90,12 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -appwidget_service
-    -assetatlas_service
-    -audio_service
-    -backup_service
-    -battery_service
-    -batterystats_service
     -bluetooth_manager_service
     -clipboard_service
     -connectivity_service