6 files changed, 89 insertions, 72 deletions

diff --git a/platform_app.te b/platform_app.te
index d98442e..61cc757 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -35,25 +35,42 @@ allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
 
-# address tmp_system_server_service accesses
-allow platform_app {
-    activity_service
-    connectivity_service
-    display_service
-    dropbox_service
-    input_service
-    lock_settings_service
-    mount_service
-}:service_manager find;
-
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
+    -accessibility_service
     -activity_service
+    -appops_service
+    -appwidget_service
+    -assetatlas_service
+    -audio_service
+    -batterystats_service
+    -bluetooth_manager_service
     -connectivity_service
+    -content_service
+    -device_policy_service
     -display_service
+    -dreams_service
     -dropbox_service
+    -fingerprint_service
+    -input_method_service
     -input_service
     -lock_settings_service
+    -media_projection_service
+    -media_router_service
+    -media_session_service
     -mount_service
+    -netpolicy_service
+    -netstats_service
+    -network_management_service
+    -notification_service
+    -power_service
+    -registry_service
+    -search_service
+    -statusbar_service
+    -trust_service
+    -user_service
+    -vibrator_service
+    -wallpaper_service
+    -wifi_service
 }:service_manager find;
\ No newline at end of file
diff --git a/radio.te b/radio.te
index 2b63cd9..f18f462 100644
--- a/radio.te
+++ b/radio.te
@@ -36,3 +36,17 @@ allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+
+service_manager_local_audit_domain(radio)
+auditallow radio {
+    tmp_system_server_service
+    -activity_service
+    -appops_service
+    -connectivity_service
+    -content_service
+    -display_service
+    -dropbox_service
+    -network_management_service
+    -power_service
+    -registry_service
+}:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 00948cf..a6ba5d9 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -64,15 +64,12 @@ allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;
 
-# address tmp_system_server_service accesses
-allow surfaceflinger {
-    power_service
-}:service_manager find;
-
 service_manager_local_audit_domain(surfaceflinger)
 auditallow surfaceflinger {
     tmp_system_server_service
+    -permission_service
     -power_service
+    -window_service
 }:service_manager find;
 
 ###
diff --git a/system_app.te b/system_app.te
index 12a5195..1c50dff 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,21 +57,17 @@ allow system_app system_app_service:service_manager add;
 allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
 
-# address tmp_system_server_service accesses
-allow system_app {
-    activity_service
-    connectivity_service
-    display_service
-    dropbox_service
-}:service_manager find;
-
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
+    -accessibility_service
     -activity_service
+    -appops_service
     -connectivity_service
     -display_service
     -dropbox_service
+    -network_management_service
+    -user_service
 }:service_manager find;
 
 allow system_app keystore:keystore_key {
diff --git a/system_server.te b/system_server.te
index 73ff33c..aaa0657 100644
--- a/system_server.te
+++ b/system_server.te
@@ -386,27 +386,55 @@ auditallow system_server {
     -tmp_system_server_service
 }:service_manager find;
 
-# address tmp_system_server_service accesses
-allow system_server {
-    account_service
-    backup_service
-    dreams_service
-    mount_service
-    package_service
-    wallpaper_service
-    wifi_service
-}:service_manager find;
-
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
+    -accessibility_service
     -account_service
+    -activity_service
+    -alarm_service
+    -appops_service
+    -assetatlas_service
+    -audio_service
     -backup_service
+    -batterystats_service
+    -bluetooth_manager_service
+    -connectivity_service
+    -content_service
+    -device_policy_service
+    -display_service
     -dreams_service
+    -dropbox_service
+    -ethernet_service
+    -hdmi_control_service
+    -input_method_service
+    -input_service
+    -jobscheduler_service
+    -location_service
+    -lock_settings_service
+    -media_router_service
+    -media_session_service
     -mount_service
+    -network_management_service
+    -network_score_service
+    -notification_service
     -package_service
+    -power_service
+    -registry_service
+    -sensorservice_service
+    -statusbar_service
+    -textservices_service
+    -trust_service
+    -uimode_service
+    -updatelock_service
+    -usagestats_service
+    -user_service
+    -vibrator_service
     -wallpaper_service
+    -webviewupdate_service
     -wifi_service
+    -wifip2p_service
+    -window_service
 }:service_manager find;
 
 allow system_server keystore:keystore_key {
diff --git a/untrusted_app.te b/untrusted_app.te
index 18d71cd..ceb70f2 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,43 +72,6 @@ allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
 
-# address tmp_system_server_service accesses
-service_manager_local_audit_domain(untrusted_app)
-allow untrusted_app {
-    accessibility_service
-    account_service
-    activity_service
-    appops_service
-    appwidget_service
-    assetatlas_service
-    audio_service
-    backup_service
-    batterystats_service
-    bluetooth_manager_service
-    connectivity_service
-    content_service
-    device_policy_service
-    display_service
-    dropbox_service
-    input_method_service
-    input_service
-    jobscheduler_service
-    location_service
-    mount_service
-    netstats_service
-    network_score_service
-    notification_service
-    persistent_data_block_service
-    power_service
-    registry_service
-    textservices_service
-    trust_service
-    uimode_service
-    user_service
-    webviewupdate_service
-    wifi_service
-}:service_manager find;
-
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
@@ -133,6 +96,7 @@ auditallow untrusted_app {
     -location_service
     -mount_service
     -netstats_service
+    -network_management_service
     -network_score_service
     -notification_service
     -persistent_data_block_service
@@ -142,6 +106,7 @@ auditallow untrusted_app {
     -trust_service
     -uimode_service
     -user_service
+    -vibrator_service
     -webviewupdate_service
     -wifi_service
 }:service_manager find;