From 14aa7c06088205f171aaaac15941c49ffa5f101b Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Thu, 17 Jul 2014 14:18:56 -0700
Subject: [PATCH] Refine service_manager find auditallow statements.

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea34779aa66a7d43a322d10a0eda9fe39a0)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
---
 adbd.te       | 6 ++++++
 system_app.te | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/adbd.te b/adbd.te
index 58fdead68..3b654a152 100644
--- a/adbd.te
+++ b/adbd.te
@@ -68,3 +68,9 @@ allow adbd appdomain:unix_stream_socket connectto;
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
+
+service_manager_local_audit_domain(adbd)
+auditallow adbd {
+    service_manager_type
+    -surfaceflinger_service
+}:service_manager find;
diff --git a/system_app.te b/system_app.te
index 24b135e5d..5a5888f2f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -69,7 +69,9 @@ control_logd(system_app)
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
     service_manager_type
+    -keystore_service
     -nfc_service
+    -radio_service
     -surfaceflinger_service
     -system_server_service
 }:service_manager find;
-- 
GitLab