diff options
| -rw-r--r-- | platform_app.te | 16 | ||||
| -rw-r--r-- | system_app.te | 17 | ||||
| -rw-r--r-- | system_server.te | 17 | ||||
| -rw-r--r-- | untrusted_app.te | 66 |
4 files changed, 87 insertions, 29 deletions
diff --git a/platform_app.te b/platform_app.te index 3f01769..d98442e 100644 --- a/platform_app.te +++ b/platform_app.te @@ -36,12 +36,24 @@ allow platform_app system_server_service:service_manager find; allow platform_app tmp_system_server_service:service_manager find; # address tmp_system_server_service accesses -allow platform_app input_service:service_manager find; -allow platform_app lock_settings_service:service_manager find; +allow platform_app { + activity_service + connectivity_service + display_service + dropbox_service + input_service + lock_settings_service + mount_service +}:service_manager find; service_manager_local_audit_domain(platform_app) auditallow platform_app { tmp_system_server_service + -activity_service + -connectivity_service + -display_service + -dropbox_service -input_service -lock_settings_service + -mount_service }:service_manager find;
\ No newline at end of file diff --git a/system_app.te b/system_app.te index a445e57..12a5195 100644 --- a/system_app.te +++ b/system_app.te @@ -57,6 +57,23 @@ allow system_app system_app_service:service_manager add; allow system_app system_server_service:service_manager find; allow system_app tmp_system_server_service:service_manager find; +# address tmp_system_server_service accesses +allow system_app { + activity_service + connectivity_service + display_service + dropbox_service +}:service_manager find; + +service_manager_local_audit_domain(system_app) +auditallow system_app { + tmp_system_server_service + -activity_service + -connectivity_service + -display_service + -dropbox_service +}:service_manager find; + allow system_app keystore:keystore_key { test get diff --git a/system_server.te b/system_server.te index df9d159..c7c2138 100644 --- a/system_server.te +++ b/system_server.te @@ -387,17 +387,30 @@ auditallow system_server { -radio_service -system_server_service -surfaceflinger_service + -tmp_system_server_service }:service_manager find; # address tmp_system_server_service accesses -allow system_server dreams_service:service_manager find; -allow system_server mount_service:service_manager find; +allow system_server { + account_service + backup_service + dreams_service + mount_service + package_service + wallpaper_service + wifi_service +}:service_manager find; service_manager_local_audit_domain(system_server) auditallow system_server { tmp_system_server_service + -account_service + -backup_service -dreams_service -mount_service + -package_service + -wallpaper_service + -wifi_service }:service_manager find; allow system_server keystore:keystore_key { diff --git a/untrusted_app.te b/untrusted_app.te index 3f88aa7..2c2946c 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -82,31 +82,40 @@ allow untrusted_app tmp_system_server_service:service_manager find; # address tmp_system_server_service accesses service_manager_local_audit_domain(untrusted_app) -allow untrusted_app accessibility_service:service_manager find; -allow untrusted_app account_service:service_manager find; -allow untrusted_app activity_service:service_manager find; -allow untrusted_app appops_service:service_manager find; -allow untrusted_app appwidget_service:service_manager find; -allow untrusted_app assetatlas_service:service_manager find; -allow untrusted_app audio_service:service_manager find; -allow untrusted_app bluetooth_manager_service:service_manager find; -allow untrusted_app connectivity_service:service_manager find; -allow untrusted_app content_service:service_manager find; -allow untrusted_app device_policy_service:service_manager find; -allow untrusted_app display_service:service_manager find; -allow untrusted_app dropbox_service:service_manager find; -allow untrusted_app input_method_service:service_manager find; -allow untrusted_app input_service:service_manager find; -allow untrusted_app jobscheduler_service:service_manager find; -allow untrusted_app notification_service:service_manager find; -allow untrusted_app persistent_data_block_service:service_manager find; -allow untrusted_app power_service:service_manager find; -allow untrusted_app registry_service:service_manager find; -allow untrusted_app textservices_service:service_manager find; -allow untrusted_app trust_service:service_manager find; -allow untrusted_app user_service:service_manager find; -allow untrusted_app webviewupdate_service:service_manager find; -allow untrusted_app wifi_service:service_manager find; +allow untrusted_app { + accessibility_service + account_service + activity_service + appops_service + appwidget_service + assetatlas_service + audio_service + backup_service + batterystats_service + bluetooth_manager_service + connectivity_service + content_service + device_policy_service + display_service + dropbox_service + input_method_service + input_service + jobscheduler_service + location_service + mount_service + netstats_service + network_score_service + notification_service + persistent_data_block_service + power_service + registry_service + textservices_service + trust_service + uimode_service + user_service + webviewupdate_service + wifi_service +}:service_manager find; service_manager_local_audit_domain(untrusted_app) auditallow untrusted_app { @@ -118,6 +127,8 @@ auditallow untrusted_app { -appwidget_service -assetatlas_service -audio_service + -backup_service + -batterystats_service -bluetooth_manager_service -connectivity_service -content_service @@ -127,12 +138,17 @@ auditallow untrusted_app { -input_method_service -input_service -jobscheduler_service + -location_service + -mount_service + -netstats_service + -network_score_service -notification_service -persistent_data_block_service -power_service -registry_service -textservices_service -trust_service + -uimode_service -user_service -webviewupdate_service -wifi_service |