diff options
author | dcashman <dcashman@google.com> | 2014-12-16 23:01:31 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-12-16 23:01:31 +0000 |
commit | 49e7e0c24846468fe6ed408ef00b8182058fb30f (patch) | |
tree | 543aa7bfa711d66145df5aecda8f5d42172ff5ce /system_server.te | |
parent | 9403e93b79dfc372c79e21d46e14cef125913b3a (diff) | |
parent | d8800a10fa987bac8234d87f1d4ff83d90966053 (diff) | |
download | android_external_sepolicy-49e7e0c24846468fe6ed408ef00b8182058fb30f.tar.gz android_external_sepolicy-49e7e0c24846468fe6ed408ef00b8182058fb30f.tar.bz2 android_external_sepolicy-49e7e0c24846468fe6ed408ef00b8182058fb30f.zip |
am d8800a10: am cd82557d: Restrict service_manager find and list access.
* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
Restrict service_manager find and list access.
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/system_server.te b/system_server.te index 19ff197..a3907e1 100644 --- a/system_server.te +++ b/system_server.te @@ -368,10 +368,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; -allow system_server system_server_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(system_server) +allow system_server healthd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server system_server_service:service_manager { add find }; +allow system_server surfaceflinger_service:service_manager find; + +# TODO: Remove. Make up for previously lacking auditing. +allow system_server service_manager_type:service_manager find; +auditallow system_server { + service_manager_type + -healthd_service + -keystore_service + -mediaserver_service + -radio_service + -system_server_service + -surfaceflinger_service +}:service_manager find; allow system_server keystore:keystore_key { test |