Record observed system_server servicemanager service requests.

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

1 files changed, 5 insertions, 0 deletions

diff --git a/system_server.te b/system_server.te
index ae9ada2..191c446 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,9 +364,11 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
+allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
@@ -376,9 +378,11 @@ allow system_server tmp_system_server_service:service_manager { add find };
 allow system_server service_manager_type:service_manager find;
 auditallow system_server {
     service_manager_type
+    -drmserver_service
     -healthd_service
     -keystore_service
     -mediaserver_service
+    -nfc_service
     -radio_service
     -system_server_service
     -surfaceflinger_service
@@ -418,6 +422,7 @@ auditallow system_server {
     -network_score_service
     -notification_service
     -package_service
+    -permission_service
     -power_service
     -registry_service
     -sensorservice_service