Restrict service_manager find and list access.

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

1 files changed, 18 insertions, 4 deletions

diff --git a/system_server.te b/system_server.te
index a8348e7..9dc1e90 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
-allow system_server system_server_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(system_server)
+allow system_server healthd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server system_server_service:service_manager { add find };
+allow system_server surfaceflinger_service:service_manager find;
+
+# TODO: Remove. Make up for previously lacking auditing.
+allow system_server service_manager_type:service_manager find;
+auditallow system_server {
+    service_manager_type
+    -healthd_service
+    -keystore_service
+    -mediaserver_service
+    -radio_service
+    -system_server_service
+    -surfaceflinger_service
+}:service_manager find;
 
 allow system_server keystore:keystore_key {
 	test