1/2: Rename domain "system" to "system_server".

This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

1/2: Rename domain "system" to "system_server".
1fdee11d · Alex Klyubin · a770f55b · 1fdee11d · 1fdee11d · 1fdee11d
Commit 1fdee11d authored 11 years ago by Alex Klyubin
--- a/app.te
+++ b/app.te
@@ -20,9 +20,9 @@ allow appdomain zygote_tmpfs:file read;
 allow appdomain zygote:process sigchld;

 # Communicate with system_server.
-allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
-binder_call(appdomain, system)
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt };
+binder_call(appdomain, system_server)

 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };

--- a/domain.te
+++ b/domain.te
@@ -20,7 +20,7 @@ allow domain self:{ unix_dgram_socket unix_stream_socket } *;

 # Inherit or receive open files from others.
 allow domain init:fd use;
-allow domain system:fd use;
+allow domain system_server:fd use;

 # Connect to adbd and use a socket transferred from it.
 allow domain adbd:unix_stream_socket connectto;

--- a/seapp_contexts
+++ b/seapp_contexts
@@ -32,7 +32,7 @@
 # levelFrom=app or levelFrom=all is only supported for _app UIDs.
 # level may be used to specify a fixed level for any UID. 
 #
-isSystemServer=true domain=system
+isSystemServer=true domain=system_server
 user=system domain=system_app type=system_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file

--- a/system.te
+++ b/system.te
@@ -2,14 +2,17 @@
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
-type system, domain;
-permissive system;
-unconfined_domain(system);
-relabelto_domain(system);
+type system_server, domain;
+permissive system_server;
+unconfined_domain(system_server);
+relabelto_domain(system_server);
+
+# TODO: Remove the temporary alias below once the renaming of system to system_server is complete in all repositories.
+typealias system_server alias system;

 # These are the capabilities assigned by the zygote to the
 # system server.
-allow system self:capability {
+allow system_server self:capability {
    kill
    net_admin
    net_bind_service
@@ -24,15 +27,15 @@ allow system self:capability {
 };

 # Create a socket for receiving info from wpa.
-type_transition system wifi_data_file:sock_file system_wpa_socket;
-allow system self:zygote { specifyids specifyrlimits specifyseinfo };
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

-allow system backup_data_file:dir relabelto;
-allow system cache_backup_file:dir relabelto;
-allow system anr_data_file:dir relabelto;
-allow system system_data_file:dir relabelto;
-allow system apk_data_file:file relabelto;
-allow system apk_tmp_file:file relabelto;
-allow system cache_backup_file:file relabelto;
-allow system apk_private_tmp_file:file relabelto;
-allow system wallpaper_file:file relabelto;
+allow system_server backup_data_file:dir relabelto;
+allow system_server cache_backup_file:dir relabelto;
+allow system_server anr_data_file:dir relabelto;
+allow system_server system_data_file:dir relabelto;
+allow system_server apk_data_file:file relabelto;
+allow system_server apk_tmp_file:file relabelto;
+allow system_server cache_backup_file:file relabelto;
+allow system_server apk_private_tmp_file:file relabelto;
+allow system_server wallpaper_file:file relabelto;
--- a/zygote.te
+++ b/zygote.te
@@ -9,13 +9,13 @@ allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
-allow zygote system:process dyntransition;
+allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 # Allow zygote to read + write app data dirs (b/10455872 and b/10498304)
 allow zygote appdomain:dir { getattr search };
 allow zygote appdomain:file { r_file_perms write };
 # Move children into the peer process group.
-allow zygote system:process { getpgid setpgid };
+allow zygote system_server:process { getpgid setpgid };
 allow zygote appdomain:process { getpgid setpgid };
 # Write to system data.
 allow zygote system_data_file:dir rw_dir_perms;