Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
diff --git a/attributes b/attributes
index d40217a..3f632de 100644
--- a/attributes
+++ b/attributes
@@ -42,6 +42,9 @@
# All types used for property service
attribute property_type;
+# All service_manager types formerly given system_server_service type
+attribute tmp_system_server_service;
+
# All types used for services managed by service_manager.
attribute service_manager_type;
diff --git a/bluetooth.te b/bluetooth.te
index 60ce118..7c273be 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -52,6 +52,7 @@
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth radio_service:service_manager find;
allow bluetooth system_server_service:service_manager find;
+allow bluetooth tmp_system_server_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/domain.te b/domain.te
index 52920a7..a184e06 100644
--- a/domain.te
+++ b/domain.te
@@ -165,6 +165,9 @@
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+# log all access to specified system_server services
+auditallow { domain -service_manager_local_audit } tmp_system_server_service:service_manager {list find };
+
###
### neverallow rules
###
diff --git a/drmserver.te b/drmserver.te
index 37edbfe..482c218 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -51,5 +51,6 @@
allow drmserver drmserver_service:service_manager { add find };
allow drmserver system_server_service:service_manager find;
+allow drmserver tmp_system_server_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index b1e746a..5f65eb0 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -117,6 +117,7 @@
surfaceflinger_service
system_app_service
system_server_service
+ tmp_system_server_service
}:service_manager find;
allow dumpstate servicemanager:service_manager list;
diff --git a/isolated_app.te b/isolated_app.te
index 8c45492..627d0a0 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -24,3 +24,19 @@
allow isolated_app radio_service:service_manager find;
allow isolated_app surfaceflinger_service:service_manager find;
allow isolated_app system_server_service:service_manager find;
+allow isolated_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow isolated_app activity_service:service_manager find;
+allow isolated_app connectivity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app dropbox_service:service_manager find;
+
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app {
+ tmp_system_server_service
+ -activity_service
+ -connectivity_service
+ -display_service
+ -dropbox_service
+}:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
index 54112af..ec69aed 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -82,6 +82,22 @@
allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver system_server_service:service_manager find;
allow mediaserver surfaceflinger_service:service_manager find;
+allow mediaserver tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+ tmp_system_server_service
+ -batterystats_service
+ -permission_service
+ -power_service
+ -scheduling_policy_service
+}:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
diff --git a/nfc.te b/nfc.te
index 0d1f613..709e5b9 100644
--- a/nfc.te
+++ b/nfc.te
@@ -23,3 +23,4 @@
allow nfc nfc_service:service_manager add;
allow nfc surfaceflinger_service:service_manager find;
allow nfc system_server_service:service_manager find;
+allow nfc tmp_system_server_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 9b9b0db..3f01769 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -33,3 +33,15 @@
allow platform_app radio_service:service_manager find;
allow platform_app surfaceflinger_service:service_manager find;
allow platform_app system_server_service:service_manager find;
+allow platform_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+allow platform_app input_service:service_manager find;
+allow platform_app lock_settings_service:service_manager find;
+
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+ tmp_system_server_service
+ -input_service
+ -lock_settings_service
+}:service_manager find;
\ No newline at end of file
diff --git a/radio.te b/radio.te
index 9282055..d369949 100644
--- a/radio.te
+++ b/radio.te
@@ -34,3 +34,4 @@
allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio system_server_service:service_manager find;
+allow radio tmp_system_server_service:service_manager find;
diff --git a/service.te b/service.te
index ca461f1..1a13927 100644
--- a/service.te
+++ b/service.te
@@ -9,4 +9,92 @@
type radio_service, service_manager_type;
type surfaceflinger_service, service_manager_type;
type system_app_service, service_manager_type;
+
type system_server_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, tmp_system_server_service, service_manager_type;
+type account_service, tmp_system_server_service, service_manager_type;
+type activity_service, tmp_system_server_service, service_manager_type;
+type alarm_service, tmp_system_server_service, service_manager_type;
+type appops_service, tmp_system_server_service, service_manager_type;
+type appwidget_service, tmp_system_server_service, service_manager_type;
+type assetatlas_service, tmp_system_server_service, service_manager_type;
+type audio_service, tmp_system_server_service, service_manager_type;
+type backup_service, tmp_system_server_service, service_manager_type;
+type batterystats_service, tmp_system_server_service, service_manager_type;
+type battery_service, tmp_system_server_service, service_manager_type;
+type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
+type clipboard_service, tmp_system_server_service, service_manager_type;
+type IMms_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, tmp_system_server_service, service_manager_type;
+type commontime_management_service, tmp_system_server_service, service_manager_type;
+type connectivity_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type content_service, tmp_system_server_service, service_manager_type;
+type country_detector_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, tmp_system_server_service, service_manager_type;
+type dbinfo_service, tmp_system_server_service, service_manager_type;
+type device_policy_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type diskstats_service, tmp_system_server_service, service_manager_type;
+type display_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, tmp_system_server_service, service_manager_type;
+type dreams_service, tmp_system_server_service, service_manager_type;
+type dropbox_service, tmp_system_server_service, service_manager_type;
+type ethernet_service, tmp_system_server_service, service_manager_type;
+type fingerprint_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type hardware_service, tmp_system_server_service, service_manager_type;
+type hdmi_control_service, tmp_system_server_service, service_manager_type;
+type input_method_service, tmp_system_server_service, service_manager_type;
+type input_service, tmp_system_server_service, service_manager_type;
+type imms_service, tmp_system_server_service, service_manager_type;
+type jobscheduler_service, tmp_system_server_service, service_manager_type;
+type launcherapps_service, tmp_system_server_service, service_manager_type;
+type location_service, tmp_system_server_service, service_manager_type;
+type lock_settings_service, tmp_system_server_service, service_manager_type;
+type media_projection_service, tmp_system_server_service, service_manager_type;
+type media_router_service, tmp_system_server_service, service_manager_type;
+type media_session_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, tmp_system_server_service, service_manager_type;
+type midi_service, tmp_system_server_service, service_manager_type;
+type mount_service, tmp_system_server_service, service_manager_type;
+type netpolicy_service, tmp_system_server_service, service_manager_type;
+type netstats_service, tmp_system_server_service, service_manager_type;
+type network_management_service, tmp_system_server_service, service_manager_type;
+type network_score_service, tmp_system_server_service, service_manager_type;
+type notification_service, tmp_system_server_service, service_manager_type;
+type package_service, tmp_system_server_service, service_manager_type;
+type permission_service, tmp_system_server_service, service_manager_type;
+type persistent_data_block_service, tmp_system_server_service, service_manager_type;
+type power_service, tmp_system_server_service, service_manager_type;
+type print_service, tmp_system_server_service, service_manager_type;
+type procstats_service, tmp_system_server_service, service_manager_type;
+type restrictions_service, tmp_system_server_service, service_manager_type;
+type rttmanager_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type scheduling_policy_service, tmp_system_server_service, service_manager_type;
+type search_service, tmp_system_server_service, service_manager_type;
+type sensorservice_service, tmp_system_server_service, service_manager_type;
+type serial_service, tmp_system_server_service, service_manager_type;
+type servicediscovery_service, tmp_system_server_service, service_manager_type;
+type statusbar_service, tmp_system_server_service, service_manager_type;
+type task_service, tmp_system_server_service, service_manager_type;
+type registry_service, tmp_system_server_service, service_manager_type;
+type textservices_service, tmp_system_server_service, service_manager_type;
+type trust_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, tmp_system_server_service, service_manager_type;
+type uimode_service, tmp_system_server_service, service_manager_type;
+type updatelock_service, tmp_system_server_service, service_manager_type;
+type usagestats_service, tmp_system_server_service, service_manager_type;
+type usb_service, tmp_system_server_service, service_manager_type;
+type user_service, tmp_system_server_service, service_manager_type;
+type vibrator_service, tmp_system_server_service, service_manager_type;
+type voiceinteraction_service, tmp_system_server_service, service_manager_type;
+type wallpaper_service, tmp_system_server_service, service_manager_type;
+type webviewupdate_service, tmp_system_server_service, service_manager_type;
+type wifip2p_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifi_service, tmp_system_server_service, service_manager_type;
+type window_service, tmp_system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 08bf3fe..5dfa199 100644
--- a/service_contexts
+++ b/service_contexts
@@ -1,123 +1,123 @@
-accessibility u:object_r:system_server_service:s0
-account u:object_r:system_server_service:s0
-activity u:object_r:system_server_service:s0
-alarm u:object_r:system_server_service:s0
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+alarm u:object_r:alarm_service:s0
android.security.keystore u:object_r:keystore_service:s0
-appops u:object_r:system_server_service:s0
-appwidget u:object_r:system_server_service:s0
-assetatlas u:object_r:system_server_service:s0
-audio u:object_r:system_server_service:s0
-backup u:object_r:system_server_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+audio u:object_r:audio_service:s0
+backup u:object_r:backup_service:s0
batteryproperties u:object_r:healthd_service:s0
batterypropreg u:object_r:healthd_service:s0
-batterystats u:object_r:system_server_service:s0
-battery u:object_r:system_server_service:s0
-bluetooth_manager u:object_r:system_server_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
-clipboard u:object_r:system_server_service:s0
-com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
-com.android.net.IProxyService u:object_r:system_server_service:s0
-commontime_management u:object_r:system_server_service:s0
+clipboard u:object_r:clipboard_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:IMms_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+commontime_management u:object_r:commontime_management_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
-connectivity u:object_r:system_server_service:s0
-consumer_ir u:object_r:system_server_service:s0
-content u:object_r:system_server_service:s0
-country_detector u:object_r:system_server_service:s0
-cpuinfo u:object_r:system_server_service:s0
-dbinfo u:object_r:system_server_service:s0
-device_policy u:object_r:system_server_service:s0
-devicestoragemonitor u:object_r:system_server_service:s0
-diskstats u:object_r:system_server_service:s0
+connectivity u:object_r:connectivity_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+country_detector u:object_r:country_detector_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_policy u:object_r:device_policy_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
-display u:object_r:system_server_service:s0
-DockObserver u:object_r:system_server_service:s0
-dreams u:object_r:system_server_service:s0
+display u:object_r:display_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:system_server_service:s0
-ethernet u:object_r:system_server_service:s0
-fingerprint u:object_r:system_server_service:s0
-gfxinfo u:object_r:system_server_service:s0
-hardware u:object_r:system_server_service:s0
-hdmi_control u:object_r:system_server_service:s0
+dropbox u:object_r:dropbox_service:s0
+ethernet u:object_r:ethernet_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+hardware u:object_r:hardware_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:system_server_service:s0
-input u:object_r:system_server_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
-imms u:object_r:system_server_service:s0
+imms u:object_r:imms_service:s0
isms_msim u:object_r:radio_service:s0
isms2 u:object_r:radio_service:s0
isms u:object_r:radio_service:s0
isub u:object_r:radio_service:s0
-jobscheduler u:object_r:system_server_service:s0
-launcherapps u:object_r:system_server_service:s0
-location u:object_r:system_server_service:s0
-lock_settings u:object_r:system_server_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+location u:object_r:location_service:s0
+lock_settings u:object_r:lock_settings_service:s0
media.audio_flinger u:object_r:mediaserver_service:s0
media.audio_policy u:object_r:mediaserver_service:s0
media.camera u:object_r:mediaserver_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
-media_projection u:object_r:system_server_service:s0
-media_router u:object_r:system_server_service:s0
-media_session u:object_r:system_server_service:s0
-meminfo u:object_r:system_server_service:s0
-mount u:object_r:system_server_service:s0
-netpolicy u:object_r:system_server_service:s0
-netstats u:object_r:system_server_service:s0
-network_management u:object_r:system_server_service:s0
-network_score u:object_r:system_server_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
nfc u:object_r:nfc_service:s0
-notification u:object_r:system_server_service:s0
-package u:object_r:system_server_service:s0
-permission u:object_r:system_server_service:s0
-persistent_data_block u:object_r:system_server_service:s0
+notification u:object_r:notification_service:s0
+package u:object_r:package_service:s0
+permission u:object_r:permission_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
-power u:object_r:system_server_service:s0
-print u:object_r:system_server_service:s0
-procstats u:object_r:system_server_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+procstats u:object_r:procstats_service:s0
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
-restrictions u:object_r:system_server_service:s0
-rttmanager u:object_r:system_server_service:s0
-samplingprofiler u:object_r:system_server_service:s0
-scheduling_policy u:object_r:system_server_service:s0
-search u:object_r:system_server_service:s0
-sensorservice u:object_r:system_server_service:s0
-serial u:object_r:system_server_service:s0
-servicediscovery u:object_r:system_server_service:s0
+restrictions u:object_r:restrictions_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
simphonebook_msim u:object_r:radio_service:s0
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
-statusbar u:object_r:system_server_service:s0
+statusbar u:object_r:statusbar_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
-task u:object_r:system_server_service:s0
+task u:object_r:task_service:s0
telecom u:object_r:radio_service:s0
-telephony.registry u:object_r:system_server_service:s0
-textservices u:object_r:system_server_service:s0
-trust u:object_r:system_server_service:s0
-tv_input u:object_r:system_server_service:s0
-uimode u:object_r:system_server_service:s0
-updatelock u:object_r:system_server_service:s0
-usagestats u:object_r:system_server_service:s0
-usb u:object_r:system_server_service:s0
-user u:object_r:system_server_service:s0
-vibrator u:object_r:system_server_service:s0
-voiceinteraction u:object_r:system_server_service:s0
-wallpaper u:object_r:system_server_service:s0
-webviewupdate u:object_r:system_server_service:s0
-wifip2p u:object_r:system_server_service:s0
-wifiscanner u:object_r:system_server_service:s0
-wifi u:object_r:system_server_service:s0
-window u:object_r:system_server_service:s0
-
+telephony.registry u:object_r:registry_service:s0
+textservices u:object_r:textservices_service:s0
+trust u:object_r:trust_service:s0
+tv_input u:object_r:tv_input_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+vibrator u:object_r:vibrator_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/shared_relro.te b/shared_relro.te
index 8ad53d3..c444382 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -11,3 +11,4 @@
# Needs to contact the "webviewupdate" and "activity" services
allow shared_relro system_server_service:service_manager find;
+allow shared_relro tmp_system_server_service:service_manager find;
diff --git a/shell.te b/shell.te
index a69d475..af4ce0c 100644
--- a/shell.te
+++ b/shell.te
@@ -48,6 +48,7 @@
allow shell powerctl_prop:property_service set;
allow shell system_server_service:service_manager find;
+allow shell tmp_system_server_service:service_manager find;
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 02cb433..f0eeec3 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -62,6 +62,7 @@
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger system_server_service:service_manager find;
+allow surfaceflinger tmp_system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index 8f70185..a445e57 100644
--- a/system_app.te
+++ b/system_app.te
@@ -55,6 +55,7 @@
allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
allow system_app system_server_service:service_manager find;
+allow system_app tmp_system_server_service:service_manager find;
allow system_app keystore:keystore_key {
test
diff --git a/system_server.te b/system_server.te
index 9dc1e90..6199eb7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -370,6 +370,7 @@
allow system_server radio_service:service_manager find;
allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
+allow system_server tmp_system_server_service:service_manager { add find };
# TODO: Remove. Make up for previously lacking auditing.
allow system_server service_manager_type:service_manager find;
@@ -383,6 +384,17 @@
-surfaceflinger_service
}:service_manager find;
+# address tmp_system_server_service accesses
+allow system_server dreams_service:service_manager find;
+allow system_server mount_service:service_manager find;
+
+service_manager_local_audit_domain(system_server)
+auditallow system_server {
+ tmp_system_server_service
+ -dreams_service
+ -mount_service
+}:service_manager find;
+
allow system_server keystore:keystore_key {
test
get
diff --git a/te_macros b/te_macros
index b665f3f..1efe15f 100644
--- a/te_macros
+++ b/te_macros
@@ -109,7 +109,6 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
-service_manager_local_audit_domain($1)
')
#####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index e558076..40dc8cb 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -70,6 +70,65 @@
allow untrusted_app radio_service:service_manager find;
allow untrusted_app surfaceflinger_service:service_manager find;
allow untrusted_app system_server_service:service_manager find;
+allow untrusted_app tmp_system_server_service:service_manager find;
+
+# address tmp_system_server_service accesses
+service_manager_local_audit_domain(untrusted_app)
+allow untrusted_app accessibility_service:service_manager find;
+allow untrusted_app account_service:service_manager find;
+allow untrusted_app activity_service:service_manager find;
+allow untrusted_app appops_service:service_manager find;
+allow untrusted_app appwidget_service:service_manager find;
+allow untrusted_app assetatlas_service:service_manager find;
+allow untrusted_app audio_service:service_manager find;
+allow untrusted_app bluetooth_manager_service:service_manager find;
+allow untrusted_app connectivity_service:service_manager find;
+allow untrusted_app content_service:service_manager find;
+allow untrusted_app device_policy_service:service_manager find;
+allow untrusted_app display_service:service_manager find;
+allow untrusted_app dropbox_service:service_manager find;
+allow untrusted_app input_method_service:service_manager find;
+allow untrusted_app input_service:service_manager find;
+allow untrusted_app jobscheduler_service:service_manager find;
+allow untrusted_app notification_service:service_manager find;
+allow untrusted_app persistent_data_block_service:service_manager find;
+allow untrusted_app power_service:service_manager find;
+allow untrusted_app registry_service:service_manager find;
+allow untrusted_app textservices_service:service_manager find;
+allow untrusted_app trust_service:service_manager find;
+allow untrusted_app user_service:service_manager find;
+allow untrusted_app webviewupdate_service:service_manager find;
+allow untrusted_app wifi_service:service_manager find;
+
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+ tmp_system_server_service
+ -accessibility_service
+ -account_service
+ -activity_service
+ -appops_service
+ -appwidget_service
+ -assetatlas_service
+ -audio_service
+ -bluetooth_manager_service
+ -connectivity_service
+ -content_service
+ -device_policy_service
+ -display_service
+ -dropbox_service
+ -input_method_service
+ -input_service
+ -jobscheduler_service
+ -notification_service
+ -persistent_data_block_service
+ -power_service
+ -registry_service
+ -textservices_service
+ -trust_service
+ -user_service
+ -webviewupdate_service
+ -wifi_service
+}:service_manager find;
###
### neverallow rules