Merge "Remove vndservice_manager object classes." into oc-dev

am: f8a18d47 Change-Id: Iba5fd78ab1d578878cde958b489c57959ac6a290

Merge "Remove vndservice_manager object classes." into oc-dev
am: f8a18d47 Change-Id: Iba5fd78ab1d578878cde958b489c57959ac6a290
b4f62b04 · Dan Cashman · android-build-merger · 14bb96f2 · f8a18d47 · b4f62b04
Commit b4f62b04 authored 7 years ago by Dan Cashman Committed by android-build-merger 7 years ago
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -675,13 +675,6 @@ class hwservice_manager
 	list
 }
-class vndservice_manager
-{
-	add
-	find
-	list
-}
 class keystore_key
 {
 	get_state

--- a/private/security_classes
+++ b/private/security_classes
@@ -137,9 +137,6 @@ class service_manager           # userspace
 # hardware service manager      # userspace
 class hwservice_manager
-# vendor service manager        # userspace
-class vndservice_manager
 # Keystore Key
 class keystore_key              # userspace

--- a/public/domain.te
+++ b/public/domain.te
@@ -219,7 +219,7 @@ allow domain default_android_hwservice:hwservice_manager { add find };
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # Workaround for policy compiler being too aggressive and removing vndservice_manager_type
 # when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:vndservice_manager { add find };
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
 ###
 ### neverallow rules
@@ -914,8 +914,17 @@ neverallow {
 } shell_data_file:file open;
-# servicemanager is the only process which handles list request
+# servicemanager and vndservicemanager are the only processes which handle the
-neverallow * ~servicemanager:service_manager list;
+# service_manager list request
+neverallow * ~{
+    servicemanager
+    vndservicemanager
+    }:service_manager list;
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+    hwservicemanager
+    }:hwservice_manager list;
 # only service_manager_types can be added to service_manager
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

--- a/public/su.te
+++ b/public/su.te
@@ -38,10 +38,10 @@ userdebug_or_eng(`
  dontaudit su property_type:file *;
  dontaudit su service_manager_type:service_manager *;
  dontaudit su hwservice_manager_type:hwservice_manager *;
-  dontaudit su vndservice_manager_type:vndservice_manager *;
+  dontaudit su vndservice_manager_type:service_manager *;
  dontaudit su servicemanager:service_manager list;
  dontaudit su hwservicemanager:hwservice_manager list;
-  dontaudit su vndservicemanager:vndservice_manager list;
+  dontaudit su vndservicemanager:service_manager list;
  dontaudit su keystore:keystore_key *;
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;