Make system_server_service an attribute.

Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
TeamFlex · Jan 14, 2015 · 4a89cdf · 4a89cdf
1 parent 34d32ea
commit 4a89cdf
Show file tree

Hide file tree

Showing 19 changed files with 303 additions and 86 deletions.
diff --git a/attributes b/attributes
@@ -42,6 +42,9 @@ attribute port_type;
 # All types used for property service
 attribute property_type;
 
+# All service_manager types formerly given system_server_service type
+attribute tmp_system_server_service;
+
 # All types used for services managed by service_manager.
 attribute service_manager_type;
 

diff --git a/bluetooth.te b/bluetooth.te
@@ -52,6 +52,7 @@ allow bluetooth ctl_dhcp_pan_prop:property_service set;
 allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth system_server_service:service_manager find;
+allow bluetooth tmp_system_server_service:service_manager find;
 
 # already open bugreport file descriptors may be shared with
 # the bluetooth process, from a file in

diff --git a/domain.te b/domain.te
@@ -165,6 +165,9 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
+# log all access to specified system_server services
+auditallow { domain -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
+
 ###
 ### neverallow rules
 ###

diff --git a/drmserver.te b/drmserver.te
@@ -51,5 +51,6 @@ allow drmserver oemfs:file r_file_perms;
 
 allow drmserver drmserver_service:service_manager { add find };
 allow drmserver system_server_service:service_manager find;
+allow drmserver tmp_system_server_service:service_manager find;
 
 selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
@@ -117,6 +117,7 @@ allow dumpstate {
     surfaceflinger_service
     system_app_service
     system_server_service
+    tmp_system_server_service
 }:service_manager find;
 
 allow dumpstate servicemanager:service_manager list;
diff --git a/isolated_app.te b/isolated_app.te
@@ -24,3 +24,19 @@ neverallow isolated_app gpu_device:file { rw_file_perms execute };
 allow isolated_app radio_service:service_manager find;
 allow isolated_app surfaceflinger_service:service_manager find;
 allow isolated_app system_server_service:service_manager find;
+allow isolated_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow isolated_app activity_service:service_manager find;
+allow isolated_app connectivity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app dropbox_service:service_manager find;
+
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app {
+    tmp_system_server_service
+    -activity_service
+    -connectivity_service
+    -display_service
+    -dropbox_service
+}:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
@@ -82,6 +82,22 @@ allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
+allow mediaserver tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+    tmp_system_server_service
+    -batterystats_service
+    -permission_service
+    -power_service
+    -scheduling_policy_service
+}:service_manager find;
 
 # /oem access
 allow mediaserver oemfs:dir search;

diff --git a/nfc.te b/nfc.te
@@ -23,3 +23,4 @@ allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager add;
 allow nfc surfaceflinger_service:service_manager find;
 allow nfc system_server_service:service_manager find;
+allow nfc tmp_system_server_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
@@ -33,3 +33,15 @@ allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app system_server_service:service_manager find;
+allow platform_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow platform_app input_service:service_manager find;
+allow platform_app lock_settings_service:service_manager find;
+
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+    tmp_system_server_service
+    -input_service
+    -lock_settings_service
+}:service_manager find;
diff --git a/radio.te b/radio.te
@@ -34,3 +34,4 @@ allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio system_server_service:service_manager find;
+allow radio tmp_system_server_service:service_manager find;
diff --git a/service.te b/service.te
@@ -9,4 +9,92 @@ type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
+
 type system_server_service,     service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, tmp_system_server_service, service_manager_type;
+type account_service, tmp_system_server_service, service_manager_type;
+type activity_service, tmp_system_server_service, service_manager_type;
+type alarm_service, tmp_system_server_service, service_manager_type;
+type appops_service, tmp_system_server_service, service_manager_type;
+type appwidget_service, tmp_system_server_service, service_manager_type;
+type assetatlas_service, tmp_system_server_service, service_manager_type;
+type audio_service, tmp_system_server_service, service_manager_type;
+type backup_service, tmp_system_server_service, service_manager_type;
+type batterystats_service, tmp_system_server_service, service_manager_type;
+type battery_service, tmp_system_server_service, service_manager_type;
+type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
+type clipboard_service, tmp_system_server_service, service_manager_type;
+type IMms_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, tmp_system_server_service, service_manager_type;
+type commontime_management_service, tmp_system_server_service, service_manager_type;
+type connectivity_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type content_service, tmp_system_server_service, service_manager_type;
+type country_detector_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, tmp_system_server_service, service_manager_type;
+type dbinfo_service, tmp_system_server_service, service_manager_type;
+type device_policy_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, tmp_system_server_service, service_manager_type;
+type display_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, tmp_system_server_service, service_manager_type;
+type dreams_service, tmp_system_server_service, service_manager_type;
+type dropbox_service, tmp_system_server_service, service_manager_type;
+type ethernet_service, tmp_system_server_service, service_manager_type;
+type fingerprint_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type hardware_service, tmp_system_server_service, service_manager_type;
+type hdmi_control_service, tmp_system_server_service, service_manager_type;
+type input_method_service, tmp_system_server_service, service_manager_type;
+type input_service, tmp_system_server_service, service_manager_type;
+type imms_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, tmp_system_server_service, service_manager_type;
+type launcherapps_service, tmp_system_server_service, service_manager_type;
+type location_service, tmp_system_server_service, service_manager_type;
+type lock_settings_service, tmp_system_server_service, service_manager_type;
+type media_projection_service, tmp_system_server_service, service_manager_type;
+type media_router_service, tmp_system_server_service, service_manager_type;
+type media_session_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, tmp_system_server_service, service_manager_type;
+type midi_service, tmp_system_server_service, service_manager_type;
+type mount_service, tmp_system_server_service, service_manager_type;
+type netpolicy_service, tmp_system_server_service, service_manager_type;
+type netstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, tmp_system_server_service, service_manager_type;
+type network_score_service, tmp_system_server_service, service_manager_type;
+type notification_service, tmp_system_server_service, service_manager_type;
+type package_service, tmp_system_server_service, service_manager_type;
+type permission_service, tmp_system_server_service, service_manager_type;
+type persistent_data_block_service, tmp_system_server_service, service_manager_type;
+type power_service, tmp_system_server_service, service_manager_type;
+type print_service, tmp_system_server_service, service_manager_type;
+type procstats_service, tmp_system_server_service, service_manager_type;
+type restrictions_service, tmp_system_server_service, service_manager_type;
+type rttmanager_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, tmp_system_server_service, service_manager_type;
+type search_service, tmp_system_server_service, service_manager_type;
+type sensorservice_service, tmp_system_server_service, service_manager_type;
+type serial_service, tmp_system_server_service, service_manager_type;
+type servicediscovery_service, tmp_system_server_service, service_manager_type;
+type statusbar_service, tmp_system_server_service, service_manager_type;
+type task_service, tmp_system_server_service, service_manager_type;
+type registry_service, tmp_system_server_service, service_manager_type;
+type textservices_service, tmp_system_server_service, service_manager_type;
+type trust_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, tmp_system_server_service, service_manager_type;
+type uimode_service, tmp_system_server_service, service_manager_type;
+type updatelock_service, tmp_system_server_service, service_manager_type;
+type usagestats_service, tmp_system_server_service, service_manager_type;
+type usb_service, tmp_system_server_service, service_manager_type;
+type user_service, tmp_system_server_service, service_manager_type;
+type vibrator_service, tmp_system_server_service, service_manager_type;
+type voiceinteraction_service, tmp_system_server_service, service_manager_type;
+type wallpaper_service, tmp_system_server_service, service_manager_type;
+type webviewupdate_service, tmp_system_server_service, service_manager_type;
+type wifip2p_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifi_service, tmp_system_server_service, service_manager_type;
+type window_service, tmp_system_server_service, service_manager_type;