Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate attributes: jobscheduler launcherapps location lock_settings media_projection media_router media_session mount netpolicy netstats Bug: 18106000 Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
TeamFlex · Apr 7, 2015 · 91b7c67 · 91b7c67
1 parent 3cc6fc5
commit 91b7c67
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 41 deletions.
diff --git a/bluetooth.te b/bluetooth.te
@@ -60,7 +60,6 @@ allow bluetooth system_api_service:service_manager find;
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
     tmp_system_server_service
-    -media_session_service
     -network_management_service
     -power_service
     -registry_service

diff --git a/platform_app.te b/platform_app.te
@@ -39,13 +39,6 @@ allow platform_app system_api_service:service_manager find;
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
     tmp_system_server_service
-    -lock_settings_service
-    -media_projection_service
-    -media_router_service
-    -media_session_service
-    -mount_service
-    -netpolicy_service
-    -netstats_service
     -network_management_service
     -notification_service
     -power_service

diff --git a/radio.te b/radio.te
@@ -41,7 +41,6 @@ allow radio system_api_service:service_manager find;
 service_manager_local_audit_domain(radio)
 auditallow radio {
     tmp_system_server_service
-    -netstats_service
     -network_management_service
     -notification_service
     -power_service

diff --git a/service.te b/service.te
@@ -50,18 +50,18 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type input_method_service, app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, tmp_system_server_service, service_manager_type;
-type launcherapps_service, tmp_system_server_service, service_manager_type;
-type location_service, tmp_system_server_service, service_manager_type;
-type lock_settings_service, tmp_system_server_service, service_manager_type;
-type media_projection_service, tmp_system_server_service, service_manager_type;
-type media_router_service, tmp_system_server_service, service_manager_type;
-type media_session_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, system_server_service, service_manager_type;
 type meminfo_service, system_api_service, system_server_service, service_manager_type;
 type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, tmp_system_server_service, service_manager_type;
-type netpolicy_service, tmp_system_server_service, service_manager_type;
-type netstats_service, tmp_system_server_service, service_manager_type;
+type mount_service, app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, system_server_service, service_manager_type;
+type netstats_service, system_api_service, system_server_service, service_manager_type;
 type network_management_service, tmp_system_server_service, service_manager_type;
 type network_score_service, tmp_system_server_service, service_manager_type;
 type notification_service, tmp_system_server_service, service_manager_type;

diff --git a/system_app.te b/system_app.te
@@ -60,10 +60,6 @@ allow system_app system_api_service:service_manager find;
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     tmp_system_server_service
-    -lock_settings_service
-    -media_session_service
-    -mount_service
-    -netstats_service
     -network_management_service
     -network_score_service
     -notification_service

diff --git a/system_server.te b/system_server.te
@@ -372,13 +372,6 @@ allow system_server tmp_system_server_service:service_manager { add find };
 service_manager_local_audit_domain(system_server)
 auditallow system_server {
     tmp_system_server_service
-    -jobscheduler_service
-    -location_service
-    -lock_settings_service
-    -media_router_service
-    -media_session_service
-    -mount_service
-    -netpolicy_service
     -network_management_service
     -network_score_service
     -notification_service

diff --git a/untrusted_app.te b/untrusted_app.te
@@ -90,17 +90,6 @@ allow untrusted_app system_api_service:service_manager find;
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {
     tmp_system_server_service
-    -healthd_service
-    -jobscheduler_service
-    -launcherapps_service
-    -location_service
-    -lock_settings_service
-    -media_router_service
-    -media_session_service
-    -meminfo_service
-    -mount_service
-    -netpolicy_service
-    -netstats_service
     -network_management_service
     -network_score_service
     -notification_service