From 353c72e3b0b4d7d729af20f0c9a13c976baa8753 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 21 Oct 2013 12:39:24 -0700
Subject: [PATCH] Move unconfined domains out of permissive mode.

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
---
 adbd.te           | 1 -
 bluetooth.te      | 1 -
 clatd.te          | 1 -
 debuggerd.te      | 1 -
 dhcp.te           | 1 -
 dnsmasq.te        | 1 -
 drmserver.te      | 1 -
 gpsd.te           | 1 -
 hci_attach.te     | 1 -
 healthd.te        | 1 -
 hostapd.te        | 1 -
 init_shell.te     | 1 -
 keystore.te       | 1 -
 media_app.te      | 1 -
 mediaserver.te    | 1 -
 mtp.te            | 1 -
 nfc.te            | 1 -
 ping.te           | 1 -
 platform_app.te   | 1 -
 ppp.te            | 1 -
 qemud.te          | 1 -
 racoon.te         | 1 -
 radio.te          | 1 -
 release_app.te    | 1 -
 rild.te           | 1 -
 runas.te          | 1 -
 sdcardd.te        | 1 -
 servicemanager.te | 1 -
 shared_app.te     | 1 -
 su.te             | 1 -
 surfaceflinger.te | 1 -
 system_app.te     | 1 -
 system_server.te  | 1 -
 tee.te            | 1 -
 watchdogd.te      | 1 -
 wpa_supplicant.te | 1 -
 36 files changed, 36 deletions(-)

diff --git a/adbd.te b/adbd.te
index 4f332b357..84d1c2bf5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,7 +1,6 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
-permissive adbd;
 unconfined_domain(adbd)
 domain_auto_trans(adbd, shell_exec, shell)
 # this is an entrypoint
diff --git a/bluetooth.te b/bluetooth.te
index 3b7330475..72263e3c5 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,4 @@
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
 app_domain(bluetooth)
 unconfined_domain(bluetooth)
diff --git a/clatd.te b/clatd.te
index ebbb79ca8..dc62fb099 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,6 +1,5 @@
 # 464xlat daemon
 type clatd, domain;
-permissive clatd;
 type clatd_exec, exec_type, file_type;
 
 init_daemon_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 690e69548..cdf00de28 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,6 +1,5 @@
 # debugger interface
 type debuggerd, domain;
-permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index 4fe24e70a..500456574 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,4 @@
 type dhcp, domain;
-permissive dhcp;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index ff8136798..a5c647a7e 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,4 @@
 type dnsmasq, domain;
-permissive dnsmasq;
 type dnsmasq_exec, exec_type, file_type;
 
 init_daemon_domain(dnsmasq)
diff --git a/drmserver.te b/drmserver.te
index c9fc5f666..8727bc175 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,5 @@
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
diff --git a/gpsd.te b/gpsd.te
index 6d6fbd75a..403a6b75d 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,6 +1,5 @@
 # gpsd - GPS daemon
 type gpsd, domain;
-permissive gpsd;
 type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 15b73ffee..40e315085 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,5 +1,4 @@
 type hci_attach, domain;
-permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index 52c466e48..2241f23cb 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,7 +1,6 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-permissive healthd;
 type healthd_exec, exec_type, file_type;
 
 init_daemon_domain(healthd)
diff --git a/hostapd.te b/hostapd.te
index f13b2e022..79db3c37b 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,4 @@
 type hostapd, domain;
-permissive hostapd;
 type hostapd_exec, exec_type, file_type;
 
 init_daemon_domain(hostapd)
diff --git a/init_shell.te b/init_shell.te
index 900826efe..696a6dcac 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,5 +1,4 @@
 # Restricted domain for shell processes spawned by init
 type init_shell, domain;
-permissive init_shell;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
diff --git a/keystore.te b/keystore.te
index d438cfa41..a7f4b4d64 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,5 +1,4 @@
 type keystore, domain;
-permissive keystore;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
diff --git a/media_app.te b/media_app.te
index f0f987fac..1fe06ddc0 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,7 +3,6 @@
 ###
 
 type media_app, domain;
-permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
diff --git a/mediaserver.te b/mediaserver.te
index a8e78d21e..1b94d86d6 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,6 +1,5 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
 net_domain(mediaserver)
diff --git a/mtp.te b/mtp.te
index eb893268e..48a552579 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,6 +1,5 @@
 # vpn tunneling protocol manager
 type mtp, domain;
-permissive mtp;
 type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
diff --git a/nfc.te b/nfc.te
index f5432f186..31b914433 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,4 @@
 # nfc subsystem
 type nfc, domain;
-permissive nfc;
 app_domain(nfc)
 unconfined_domain(nfc)
diff --git a/ping.te b/ping.te
index 19f3a4741..37b9b3c36 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,4 @@
 type ping, domain;
-permissive ping;
 type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 unconfined_domain(ping)
diff --git a/platform_app.te b/platform_app.te
index 38d8fcd62..042d49540 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,6 @@
 ###
 
 type platform_app, domain;
-permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
diff --git a/ppp.te b/ppp.te
index 3387cde2f..bc1bafcb8 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,6 +1,5 @@
 # Point to Point Protocol daemon
 type ppp, domain;
-permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index 1266e1fd9..caf7a09f1 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,6 +1,5 @@
 # qemu support daemon
 type qemud, domain;
-permissive qemud;
 type qemud_exec, exec_type, file_type;
 
 init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 2d3afb81e..12955f210 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,6 +1,5 @@
 # IKE key management daemon
 type racoon, domain;
-permissive racoon;
 type racoon_exec, exec_type, file_type;
 
 unconfined_domain(racoon)
diff --git a/radio.te b/radio.te
index 6d569b07c..feea2cc6d 100644
--- a/radio.te
+++ b/radio.te
@@ -1,6 +1,5 @@
 # phone subsystem
 type radio, domain;
-permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
diff --git a/release_app.te b/release_app.te
index 285f48300..e7e4b3537 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,7 +3,6 @@
 ###
 
 type release_app, domain;
-permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
diff --git a/rild.te b/rild.te
index a93b3aca7..9aba8a288 100644
--- a/rild.te
+++ b/rild.te
@@ -1,6 +1,5 @@
 # rild - radio interface layer daemon
 type rild, domain;
-permissive rild;
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index ec5e1c4b6..6446a9e4b 100644
--- a/runas.te
+++ b/runas.te
@@ -1,6 +1,5 @@
 type runas, domain;
 type runas_exec, exec_type, file_type;
-permissive runas;
 unconfined_domain(runas)
 
 # ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index 32e686cd1..25d12463a 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,5 +1,4 @@
 type sdcardd, domain;
-permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index 80ed9dfeb..10b6aad62 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,6 +1,5 @@
 # servicemanager - the Binder context manager
 type servicemanager, domain;
-permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)
diff --git a/shared_app.te b/shared_app.te
index b66fbfbe6..8475e0c9a 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,7 +3,6 @@
 ###
 
 type shared_app, domain;
-permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
diff --git a/su.te b/su.te
index c1f002f86..b68536c3a 100644
--- a/su.te
+++ b/su.te
@@ -1,5 +1,4 @@
 type su, domain;
-permissive su;
 type su_exec, exec_type, file_type;
 domain_auto_trans(shell, su_exec, su)
 
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ba66b83b1..aa63e6bff 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,6 +1,5 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 61a18dbc7..d274ac107 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,6 +4,5 @@
 # server.
 #
 type system_app, domain;
-permissive system_app;
 app_domain(system_app)
 unconfined_domain(system_app)
diff --git a/system_server.te b/system_server.te
index fd2d13076..2e86b6a03 100644
--- a/system_server.te
+++ b/system_server.te
@@ -3,7 +3,6 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain;
-permissive system_server;
 unconfined_domain(system_server);
 relabelto_domain(system_server);
 
diff --git a/tee.te b/tee.te
index 2fab2820c..1aae06ea0 100644
--- a/tee.te
+++ b/tee.te
@@ -6,6 +6,5 @@ type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
-permissive tee;
 unconfined_domain(tee)
 init_daemon_domain(tee)
diff --git a/watchdogd.te b/watchdogd.te
index 3bf9aae1d..9af871cdd 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-permissive watchdogd;
 unconfined_domain(watchdogd)
 allow watchdogd rootfs:file entrypoint;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index c92421439..5ef357311 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,6 +1,5 @@
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
-permissive wpa;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)
-- 
GitLab