diff options
author | dcashman <dcashman@google.com> | 2014-12-11 16:01:27 -0800 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2014-12-15 10:09:24 -0800 |
commit | cd82557d4069c20bda8e18aa7f72fc0521a3ae32 (patch) | |
tree | d6d09cc6aa88a9ffdefaf1639ec161d920ff4743 /system_server.te | |
parent | b7d0ae3aca1c3c8f77ff36ccd1ecefbddd43e8e0 (diff) | |
download | android_external_sepolicy-cd82557d4069c20bda8e18aa7f72fc0521a3ae32.tar.gz android_external_sepolicy-cd82557d4069c20bda8e18aa7f72fc0521a3ae32.tar.bz2 android_external_sepolicy-cd82557d4069c20bda8e18aa7f72fc0521a3ae32.zip |
Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/system_server.te b/system_server.te index a8348e7..9dc1e90 100644 --- a/system_server.te +++ b/system_server.te @@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; -allow system_server system_server_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(system_server) +allow system_server healthd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server system_server_service:service_manager { add find }; +allow system_server surfaceflinger_service:service_manager find; + +# TODO: Remove. Make up for previously lacking auditing. +allow system_server service_manager_type:service_manager find; +auditallow system_server { + service_manager_type + -healthd_service + -keystore_service + -mediaserver_service + -radio_service + -system_server_service + -surfaceflinger_service +}:service_manager find; allow system_server keystore:keystore_key { test |