Merge "Move unconfined domains out of permissive mode."

28a711c8 · Nick Kralevich · Gerrit Code Review · 84d88314 · 353c72e3 · 28a711c8
Commit 28a711c8 authored 11 years ago by Nick Kralevich Committed by Gerrit Code Review 11 years ago
--- a/adbd.te
+++ b/adbd.te
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
-permissive adbd;
 unconfined_domain(adbd)
 domain_auto_trans(adbd, shell_exec, shell)
 # this is an entrypoint

--- a/bluetooth.te
+++ b/bluetooth.te
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
 app_domain(bluetooth)
 unconfined_domain(bluetooth)
--- a/clatd.te
+++ b/clatd.te
 # 464xlat daemon
 type clatd, domain;
-permissive clatd;
 type clatd_exec, exec_type, file_type;

 init_daemon_domain(clatd)

--- a/debuggerd.te
+++ b/debuggerd.te
 # debugger interface
 type debuggerd, domain;
-permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;

 init_daemon_domain(debuggerd)

--- a/dhcp.te
+++ b/dhcp.te
 type dhcp, domain;
-permissive dhcp;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;

--- a/dnsmasq.te
+++ b/dnsmasq.te
 type dnsmasq, domain;
-permissive dnsmasq;
 type dnsmasq_exec, exec_type, file_type;

 init_daemon_domain(dnsmasq)

--- a/drmserver.te
+++ b/drmserver.te
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
 type drmserver_exec, exec_type, file_type;

 init_daemon_domain(drmserver)

--- a/gpsd.te
+++ b/gpsd.te
 # gpsd - GPS daemon
 type gpsd, domain;
-permissive gpsd;
 type gpsd_exec, exec_type, file_type;

 init_daemon_domain(gpsd)

--- a/hci_attach.te
+++ b/hci_attach.te
 type hci_attach, domain;
-permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;

 init_daemon_domain(hci_attach)

--- a/healthd.te
+++ b/healthd.te
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-permissive healthd;
 type healthd_exec, exec_type, file_type;

 init_daemon_domain(healthd)

--- a/hostapd.te
+++ b/hostapd.te
 type hostapd, domain;
-permissive hostapd;
 type hostapd_exec, exec_type, file_type;

 init_daemon_domain(hostapd)

--- a/init_shell.te
+++ b/init_shell.te
 # Restricted domain for shell processes spawned by init
 type init_shell, domain;
-permissive init_shell;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
--- a/keystore.te
+++ b/keystore.te
 type keystore, domain;
-permissive keystore;
 type keystore_exec, exec_type, file_type;

 # keystore daemon

--- a/media_app.te
+++ b/media_app.te
@@ -3,7 +3,6 @@
 ###

 type media_app, domain;
-permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.

--- a/mediaserver.te
+++ b/mediaserver.te
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;

 net_domain(mediaserver)

--- a/mtp.te
+++ b/mtp.te
 # vpn tunneling protocol manager
 type mtp, domain;
-permissive mtp;
 type mtp_exec, exec_type, file_type;

 init_daemon_domain(mtp)

--- a/nfc.te
+++ b/nfc.te
 # nfc subsystem
 type nfc, domain;
-permissive nfc;
 app_domain(nfc)
 unconfined_domain(nfc)
--- a/ping.te
+++ b/ping.te
 type ping, domain;
-permissive ping;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 unconfined_domain(ping)
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,6 @@
 ###

 type platform_app, domain;
-permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.

--- a/ppp.te
+++ b/ppp.te
 # Point to Point Protocol daemon
 type ppp, domain;
-permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;