diff options
| author | dcashman <dcashman@google.com> | 2015-01-15 15:12:18 -0800 |
|---|---|---|
| committer | dcashman <dcashman@google.com> | 2015-01-15 15:12:18 -0800 |
| commit | c631ede7dc7cb131b1bdd03ce296eeac53dc9add (patch) | |
| tree | 52058c6cfa2b126f761f5593ff8d778215570191 /untrusted_app.te | |
| parent | 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 (diff) | |
| download | android_external_sepolicy-c631ede7dc7cb131b1bdd03ce296eeac53dc9add.tar.gz android_external_sepolicy-c631ede7dc7cb131b1bdd03ce296eeac53dc9add.tar.bz2 android_external_sepolicy-c631ede7dc7cb131b1bdd03ce296eeac53dc9add.zip | |
Remove known system_server service accesses from auditing.
Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager
in order to record existing relationships with services.
Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
Diffstat (limited to 'untrusted_app.te')
| -rw-r--r-- | untrusted_app.te | 66 |
1 files changed, 41 insertions, 25 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index 40dc8cb..18d71cd 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -74,31 +74,40 @@ allow untrusted_app tmp_system_server_service:service_manager find; # address tmp_system_server_service accesses service_manager_local_audit_domain(untrusted_app) -allow untrusted_app accessibility_service:service_manager find; -allow untrusted_app account_service:service_manager find; -allow untrusted_app activity_service:service_manager find; -allow untrusted_app appops_service:service_manager find; -allow untrusted_app appwidget_service:service_manager find; -allow untrusted_app assetatlas_service:service_manager find; -allow untrusted_app audio_service:service_manager find; -allow untrusted_app bluetooth_manager_service:service_manager find; -allow untrusted_app connectivity_service:service_manager find; -allow untrusted_app content_service:service_manager find; -allow untrusted_app device_policy_service:service_manager find; -allow untrusted_app display_service:service_manager find; -allow untrusted_app dropbox_service:service_manager find; -allow untrusted_app input_method_service:service_manager find; -allow untrusted_app input_service:service_manager find; -allow untrusted_app jobscheduler_service:service_manager find; -allow untrusted_app notification_service:service_manager find; -allow untrusted_app persistent_data_block_service:service_manager find; -allow untrusted_app power_service:service_manager find; -allow untrusted_app registry_service:service_manager find; -allow untrusted_app textservices_service:service_manager find; -allow untrusted_app trust_service:service_manager find; -allow untrusted_app user_service:service_manager find; -allow untrusted_app webviewupdate_service:service_manager find; -allow untrusted_app wifi_service:service_manager find; +allow untrusted_app { + accessibility_service + account_service + activity_service + appops_service + appwidget_service + assetatlas_service + audio_service + backup_service + batterystats_service + bluetooth_manager_service + connectivity_service + content_service + device_policy_service + display_service + dropbox_service + input_method_service + input_service + jobscheduler_service + location_service + mount_service + netstats_service + network_score_service + notification_service + persistent_data_block_service + power_service + registry_service + textservices_service + trust_service + uimode_service + user_service + webviewupdate_service + wifi_service +}:service_manager find; service_manager_local_audit_domain(untrusted_app) auditallow untrusted_app { @@ -110,6 +119,8 @@ auditallow untrusted_app { -appwidget_service -assetatlas_service -audio_service + -backup_service + -batterystats_service -bluetooth_manager_service -connectivity_service -content_service @@ -119,12 +130,17 @@ auditallow untrusted_app { -input_method_service -input_service -jobscheduler_service + -location_service + -mount_service + -netstats_service + -network_score_service -notification_service -persistent_data_block_service -power_service -registry_service -textservices_service -trust_service + -uimode_service -user_service -webviewupdate_service -wifi_service |