From 4cdea7fc40ea29c8cf4134a71b67808d143ec9dc Mon Sep 17 00:00:00 2001 From: dcashman Date: Fri, 3 Apr 2015 16:11:01 -0700 Subject: Assign app_api_service attribute to services. Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services the appropriate service access levels and move into enforcing. Bug: 18106000 Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7 --- bluetooth.te | 1 - mediaserver.te | 2 +- nfc.te | 1 - platform_app.te | 4 ---- radio.te | 1 - service.te | 12 ++++++------ system_app.te | 4 ---- system_server.te | 5 ----- untrusted_app.te | 6 ------ 9 files changed, 7 insertions(+), 29 deletions(-) diff --git a/bluetooth.te b/bluetooth.te index ad44ff1..9530702 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -60,7 +60,6 @@ allow bluetooth system_api_service:service_manager find; service_manager_local_audit_domain(bluetooth) auditallow bluetooth { tmp_system_server_service - -audio_service -bluetooth_manager_service -connectivity_service -display_service diff --git a/mediaserver.te b/mediaserver.te index 6beae06..835802e 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -80,6 +80,7 @@ allow mediaserver tee:unix_stream_socket connectto; allow mediaserver activity_service:service_manager find; allow mediaserver appops_service:service_manager find; +allow mediaserver batterystats_service:service_manager find; allow mediaserver drmserver_service:service_manager find; allow mediaserver mediaserver_service:service_manager { add find }; allow mediaserver surfaceflinger_service:service_manager find; @@ -88,7 +89,6 @@ allow mediaserver tmp_system_server_service:service_manager find; service_manager_local_audit_domain(mediaserver) auditallow mediaserver { tmp_system_server_service - -batterystats_service -permission_service -power_service -processinfo_service diff --git a/nfc.te b/nfc.te index 556fd20..0cfc447 100644 --- a/nfc.te +++ b/nfc.te @@ -30,7 +30,6 @@ allow nfc system_api_service:service_manager find; service_manager_local_audit_domain(nfc) auditallow nfc { tmp_system_server_service - -batterystats_service -bluetooth_manager_service -connectivity_service -content_service diff --git a/platform_app.te b/platform_app.te index 7dedc55..2f1b87c 100644 --- a/platform_app.te +++ b/platform_app.te @@ -39,10 +39,6 @@ allow platform_app system_api_service:service_manager find; service_manager_local_audit_domain(platform_app) auditallow platform_app { tmp_system_server_service - -appwidget_service - -assetatlas_service - -audio_service - -batterystats_service -bluetooth_manager_service -connectivity_service -content_service diff --git a/radio.te b/radio.te index 5b158de..76ffda7 100644 --- a/radio.te +++ b/radio.te @@ -41,7 +41,6 @@ allow radio system_api_service:service_manager find; service_manager_local_audit_domain(radio) auditallow radio { tmp_system_server_service - -assetatlas_service -bluetooth_manager_service -connectivity_service -content_service diff --git a/service.te b/service.te index e0bcc2f..a11e641 100644 --- a/service.te +++ b/service.te @@ -14,13 +14,13 @@ type system_app_service, service_manager_type; type accessibility_service, app_api_service, system_server_service, service_manager_type; type account_service, app_api_service, system_server_service, service_manager_type; type activity_service, app_api_service, system_server_service, service_manager_type; -type alarm_service, tmp_system_server_service, service_manager_type; +type alarm_service, app_api_service, system_server_service, service_manager_type; type appops_service, app_api_service, system_server_service, service_manager_type; -type appwidget_service, tmp_system_server_service, service_manager_type; -type assetatlas_service, tmp_system_server_service, service_manager_type; -type audio_service, tmp_system_server_service, service_manager_type; -type backup_service, tmp_system_server_service, service_manager_type; -type batterystats_service, tmp_system_server_service, service_manager_type; +type appwidget_service, app_api_service, system_server_service, service_manager_type; +type assetatlas_service, app_api_service, system_server_service, service_manager_type; +type audio_service, app_api_service, system_server_service, service_manager_type; +type backup_service, system_api_service, system_server_service, service_manager_type; +type batterystats_service, app_api_service, system_server_service, service_manager_type; type battery_service, tmp_system_server_service, service_manager_type; type bluetooth_manager_service, tmp_system_server_service, service_manager_type; type clipboard_service, tmp_system_server_service, service_manager_type; diff --git a/system_app.te b/system_app.te index eebc644..565db59 100644 --- a/system_app.te +++ b/system_app.te @@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find; service_manager_local_audit_domain(system_app) auditallow system_app { tmp_system_server_service - -appwidget_service - -assetatlas_service - -audio_service - -backup_service -bluetooth_manager_service -connectivity_service -content_service diff --git a/system_server.te b/system_server.te index 644ff05..aa0328f 100644 --- a/system_server.te +++ b/system_server.te @@ -370,11 +370,6 @@ allow system_server tmp_system_server_service:service_manager { add find }; service_manager_local_audit_domain(system_server) auditallow system_server { tmp_system_server_service - -alarm_service - -assetatlas_service - -audio_service - -backup_service - -batterystats_service -bluetooth_manager_service -connectivity_service -content_service diff --git a/untrusted_app.te b/untrusted_app.te index f0961cb..7026a84 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -90,12 +90,6 @@ allow untrusted_app system_api_service:service_manager find; service_manager_local_audit_domain(untrusted_app) auditallow untrusted_app { tmp_system_server_service - -appwidget_service - -assetatlas_service - -audio_service - -backup_service - -battery_service - -batterystats_service -bluetooth_manager_service -clipboard_service -connectivity_service -- cgit v1.2.3