am d8800a10: am cd82557d: Restrict service_manager find and list access.

* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
  Restrict service_manager find and list access.

1 files changed, 18 insertions, 4 deletions

diff --git a/system_server.te b/system_server.te
index 19ff197..a3907e1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -368,10 +368,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
-allow system_server system_server_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(system_server)
+allow system_server healthd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server system_server_service:service_manager { add find };
+allow system_server surfaceflinger_service:service_manager find;
+
+# TODO: Remove. Make up for previously lacking auditing.
+allow system_server service_manager_type:service_manager find;
+auditallow system_server {
+    service_manager_type
+    -healthd_service
+    -keystore_service
+    -mediaserver_service
+    -radio_service
+    -system_server_service
+    -surfaceflinger_service
+}:service_manager find;
 
 allow system_server keystore:keystore_key {
 	test