From 8af4e9cb0032244b0a356eb236ea97379956fa52 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 1 Apr 2015 14:30:46 -0700
Subject: [PATCH] Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.
Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
---
bluetooth.te | 1 +
isolated_app.te | 2 ++
mediaserver.te | 2 ++
nfc.te | 1 +
platform_app.te | 4 ++++
radio.te | 7 +++++++
system_app.te | 8 ++++++++
system_server.te | 2 ++
untrusted_app.te | 7 +++++++
9 files changed, 34 insertions(+)
diff --git a/bluetooth.te b/bluetooth.te
index a91f6b2b5..7d81e0984 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -70,6 +70,7 @@ auditallow bluetooth {
-network_management_service
-power_service
-registry_service
+ -user_service
}:service_manager find;
# already open bugreport file descriptors may be shared with
diff --git a/isolated_app.te b/isolated_app.te
index 8930ae68a..48bf3defc 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,6 +18,8 @@ allow isolated_app app_data_file:file { read write getattr };
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
+service_manager_local_audit_domain(isolated_app)
+
#####
##### Neverallow
#####
diff --git a/mediaserver.te b/mediaserver.te
index a8bc55fea..23abb0fb3 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -87,10 +87,12 @@ allow mediaserver tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(mediaserver)
auditallow mediaserver {
tmp_system_server_service
+ -activity_service
-appops_service
-batterystats_service
-permission_service
-power_service
+ -processinfo_service
-scheduling_policy_service
}:service_manager find;
diff --git a/nfc.te b/nfc.te
index 00826bb39..3545e2335 100644
--- a/nfc.te
+++ b/nfc.te
@@ -40,6 +40,7 @@ auditallow nfc {
-dropbox_service
-network_management_service
-power_service
+ -registry_service
-trust_service
-user_service
-vibrator_service
diff --git a/platform_app.te b/platform_app.te
index ef6fb78ae..92ac5adfd 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -69,10 +69,14 @@ auditallow platform_app {
-power_service
-registry_service
-search_service
+ -sensorservice_service
-statusbar_service
-trust_service
+ -uimode_service
+ -usb_service
-user_service
-vibrator_service
-wallpaper_service
+ -webviewupdate_service
-wifi_service
}:service_manager find;
diff --git a/radio.te b/radio.te
index b5ff4a7e4..4ecf43ca7 100644
--- a/radio.te
+++ b/radio.te
@@ -40,13 +40,19 @@ allow radio tmp_system_server_service:service_manager find;
service_manager_local_audit_domain(radio)
auditallow radio {
tmp_system_server_service
+ -accessibility_service
+ -account_service
-activity_service
-appops_service
+ -assetatlas_service
-bluetooth_manager_service
-connectivity_service
-content_service
+ -country_detector_service
-display_service
-dropbox_service
+ -imms_service
+ -input_method_service
-netstats_service
-network_management_service
-notification_service
@@ -54,5 +60,6 @@ auditallow radio {
-registry_service
-trust_service
-user_service
+ -vibrator_service
-wifi_service
}:service_manager find;
diff --git a/system_app.te b/system_app.te
index ac460524d..6740dcda6 100644
--- a/system_app.te
+++ b/system_app.te
@@ -60,6 +60,7 @@ service_manager_local_audit_domain(system_app)
auditallow system_app {
tmp_system_server_service
-accessibility_service
+ -account_service
-activity_service
-appops_service
-appwidget_service
@@ -73,17 +74,24 @@ auditallow system_app {
-display_service
-dreams_service
-dropbox_service
+ -fingerprint_service
-graphicsstats_service
-input_method_service
-input_service
-lock_settings_service
+ -media_session_service
-mount_service
+ -netstats_service
-network_management_service
+ -network_score_service
-notification_service
-power_service
-print_service
-registry_service
+ -restrictions_service
-sensorservice_service
+ -textservices_service
+ -uimode_service
-usagestats_service
-usb_service
-user_service
diff --git a/system_server.te b/system_server.te
index e967adb8b..bec8ec424 100644
--- a/system_server.te
+++ b/system_server.te
@@ -397,6 +397,7 @@ auditallow system_server {
-bluetooth_manager_service
-connectivity_service
-content_service
+ -country_detector_service
-device_policy_service
-display_service
-dreams_service
@@ -412,6 +413,7 @@ auditallow system_server {
-media_router_service
-media_session_service
-mount_service
+ -netpolicy_service
-network_management_service
-network_score_service
-notification_service
diff --git a/untrusted_app.te b/untrusted_app.te
index 4e1164dcd..a93885a78 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -98,14 +98,18 @@ auditallow untrusted_app {
-battery_service
-batterystats_service
-bluetooth_manager_service
+ -clipboard_service
-connectivity_service
-content_service
-country_detector_service
-default_android_service
-device_policy_service
+ -diskstats_service
-display_service
-dropbox_service
-graphicsstats_service
+ -healthd_service
+ -imms_service
-input_method_service
-input_service
-jobscheduler_service
@@ -123,13 +127,16 @@ auditallow untrusted_app {
-notification_service
-persistent_data_block_service
-power_service
+ -procstats_service
-registry_service
+ -rttmanager_service
-search_service
-sensorservice_service
-statusbar_service
-textservices_service
-trust_service
-uimode_service
+ -usagestats_service
-user_service
-vibrator_service
-voiceinteraction_service
--
GitLab