diff --git a/private/attributes b/private/attributes new file mode 100644 index 0000000000000000000000000000000000000000..fcbfecfb26a5495ae07230da0734a58971291187 --- /dev/null +++ b/private/attributes @@ -0,0 +1,9 @@ +# Temporary attribute used for migrating permissions out of domain. +# Motivation: Domain is overly permissive. Start removing permissions +# from domain and assign them to the domain_deprecated attribute. +# Domain_deprecated and domain can initially be assigned to all +# domains. The goal is to not assign domain_deprecated to new domains +# and to start removing domain_deprecated where it's not required or +# reassigning the appropriate permissions to the inheriting domain +# when necessary. +attribute domain_deprecated; diff --git a/private/clatd.te b/private/clatd.te index 5ba0fc5cdcb99da7e531a630fc50aa621714dbf4..c09398dddbc0a30ca85eabdf924a7879bd729b74 100644 --- a/private/clatd.te +++ b/private/clatd.te @@ -1 +1,2 @@ typeattribute clatd coredomain; +typeattribute clatd domain_deprecated; diff --git a/private/dex2oat.te b/private/dex2oat.te index fd45484f4db5bce7e3945b95dff8a76633e9d160..89c3970afcd68562e594a949c00a78e3ba2eb82a 100644 --- a/private/dex2oat.te +++ b/private/dex2oat.te @@ -1 +1,2 @@ typeattribute dex2oat coredomain; +typeattribute dex2oat domain_deprecated; diff --git a/private/dhcp.te b/private/dhcp.te index b2f8ac7c747cf6bba0fe8080fa1afb8348b9ae95..6a6a139e28c9c63a08e3f39d2973f5cab63ac360 100644 --- a/private/dhcp.te +++ b/private/dhcp.te @@ -1,4 +1,5 @@ typeattribute dhcp coredomain; +typeattribute dhcp domain_deprecated; init_daemon_domain(dhcp) type_transition dhcp system_data_file:{ dir file } dhcp_data_file; diff --git a/public/domain_deprecated.te b/private/domain_deprecated.te similarity index 98% rename from public/domain_deprecated.te rename to private/domain_deprecated.te index 04a26c3e56d84046eac07dc0aba58ffcdf64625f..43f11357b02fc0bddf698c8309c444ea4c87921f 100644 --- a/public/domain_deprecated.te +++ b/private/domain_deprecated.te @@ -79,7 +79,6 @@ auditallow { -fingerprintd -installd -keystore - -rild -surfaceflinger -system_server -update_engine @@ -193,7 +192,6 @@ auditallow { domain_deprecated -fsck -fsck_untrusted - -rild -sdcardd -system_server -update_engine @@ -203,7 +201,6 @@ auditallow { domain_deprecated -fsck -fsck_untrusted - -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain @@ -212,7 +209,6 @@ auditallow { -fingerprintd -healthd -netd - -rild -system_app -surfaceflinger -system_server @@ -225,7 +221,6 @@ auditallow { -fingerprintd -healthd -netd - -rild -system_app -surfaceflinger -system_server @@ -238,7 +233,6 @@ auditallow { -fingerprintd -healthd -netd - -rild -system_app -surfaceflinger -system_server @@ -256,7 +250,6 @@ auditallow { -installd -keystore -netd - -rild -surfaceflinger -system_server -zygote @@ -271,7 +264,6 @@ auditallow { -installd -keystore -netd - -rild -surfaceflinger -system_server -zygote diff --git a/private/dumpstate.te b/private/dumpstate.te index b8f81526cddc1f713b42a4f2e83c97882c1d82dd..0fe2adfc68137d9099233ce0924f2471b7082460 100644 --- a/private/dumpstate.te +++ b/private/dumpstate.te @@ -1,4 +1,5 @@ typeattribute dumpstate coredomain; +typeattribute dumpstate domain_deprecated; init_daemon_domain(dumpstate) diff --git a/private/fingerprintd.te b/private/fingerprintd.te index eb73ef8ccf9a3129f5a635c3f390d1177277e6f5..0c1dfaa3748abb9a8c90e0c9edc48ce82a76c0a8 100644 --- a/private/fingerprintd.te +++ b/private/fingerprintd.te @@ -1,3 +1,4 @@ typeattribute fingerprintd coredomain; +typeattribute fingerprintd domain_deprecated; init_daemon_domain(fingerprintd) diff --git a/private/fsck.te b/private/fsck.te index 3a36329f7cca371944b2835dee1854966a754269..e8467972fa00cab78cf61c76d722638d01f7a296 100644 --- a/private/fsck.te +++ b/private/fsck.te @@ -1,3 +1,4 @@ typeattribute fsck coredomain; +typeattribute fsck domain_deprecated; init_daemon_domain(fsck) diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te index 9a57bf02771bb2a06bf59d5b0a922e96dcb81aa6..2a1a39f46d1850e97b26ba177b748a9ed23a7550 100644 --- a/private/fsck_untrusted.te +++ b/private/fsck_untrusted.te @@ -1 +1,2 @@ typeattribute fsck_untrusted coredomain; +typeattribute fsck_untrusted domain_deprecated; diff --git a/private/installd.te b/private/installd.te index f74843dd135d4f6550d2dc6ff8c58e1ac343c550..d726e7df2e5165f8b8f649ceb2b90d4cae803a9a 100644 --- a/private/installd.te +++ b/private/installd.te @@ -1,4 +1,5 @@ typeattribute installd coredomain; +typeattribute installd domain_deprecated; init_daemon_domain(installd) diff --git a/private/keystore.te b/private/keystore.te index a9647c63104c5387f7b540e7fea7b6e0f28afccb..1e563389e102b3f320f4fe6a349a139d0a083e08 100644 --- a/private/keystore.te +++ b/private/keystore.te @@ -1,4 +1,5 @@ typeattribute keystore coredomain; +typeattribute keystore domain_deprecated; init_daemon_domain(keystore) diff --git a/private/mtp.te b/private/mtp.te index 732e111ed0b42407b3076a9ce971946b9a01e818..3cfda0b1aba7a7c0f15f0a7365e2475fe7c9a49f 100644 --- a/private/mtp.te +++ b/private/mtp.te @@ -1,3 +1,4 @@ typeattribute mtp coredomain; +typeattribute mtp domain_deprecated; init_daemon_domain(mtp) diff --git a/private/netd.te b/private/netd.te index f501f25e9f56361cb38813acec88f440a1ad7ee1..3a824af13668b28303a126ca44c371ff887d52e3 100644 --- a/private/netd.te +++ b/private/netd.te @@ -1,4 +1,5 @@ typeattribute netd coredomain; +typeattribute netd domain_deprecated; init_daemon_domain(netd) diff --git a/private/perfprofd.te b/private/perfprofd.te index 9c249fd9a069e4c455afaa2cba281610312f4a60..a655f1d340320aa8c17cf0ef741ad35a70003abd 100644 --- a/private/perfprofd.te +++ b/private/perfprofd.te @@ -1,4 +1,5 @@ userdebug_or_eng(` typeattribute perfprofd coredomain; + typeattribute perfprofd domain_deprecated; init_daemon_domain(perfprofd) ') diff --git a/private/ppp.te b/private/ppp.te index 968b221b688ffe92f04a98d4211648a26d1e7ffc..9b301f4757ba1bf92cd076bb6a8236c5f6191138 100644 --- a/private/ppp.te +++ b/private/ppp.te @@ -1,3 +1,4 @@ typeattribute ppp coredomain; +typeattribute ppp domain_deprecated; domain_auto_trans(mtp, ppp_exec, ppp) diff --git a/private/radio.te b/private/radio.te index b4f539048f3b56816ff9f011a6d1cf0349d6ef6b..83b5b416b248c2533f353e4afa62b8e7e585118e 100644 --- a/private/radio.te +++ b/private/radio.te @@ -1,4 +1,5 @@ typeattribute radio coredomain; +typeattribute radio domain_deprecated; app_domain(radio) diff --git a/private/recovery.te b/private/recovery.te index 2a7fdc7e1d3ad16a0b8f211def5313f91376c7dd..b7b2847ecf6ef7bf099abb02e5593912806167d3 100644 --- a/private/recovery.te +++ b/private/recovery.te @@ -1 +1,2 @@ typeattribute recovery coredomain; +typeattribute recovery domain_deprecated; diff --git a/private/runas.te b/private/runas.te index ef31aac3471736662b840960b05e242ccb80856d..73a91ffd68f32ec11d3b2e40a927eb2c741cef30 100644 --- a/private/runas.te +++ b/private/runas.te @@ -1,4 +1,5 @@ typeattribute runas coredomain; +typeattribute runas domain_deprecated; # ndk-gdb invokes adb shell run-as. domain_auto_trans(shell, runas_exec, runas) diff --git a/private/sdcardd.te b/private/sdcardd.te index 126d643490d7081ad0db7db021320aa74af171b8..ac6bb4e2c4da4da1493109efe95e4cf23b345d39 100644 --- a/private/sdcardd.te +++ b/private/sdcardd.te @@ -1,3 +1,4 @@ typeattribute sdcardd coredomain; +typeattribute sdcardd domain_deprecated; type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; diff --git a/private/shared_relro.te b/private/shared_relro.te index 02f7206829d2901285479f95ed49fa656327e0d1..8d06294d96a53ee83b7109af1e3781ca3fa4a85f 100644 --- a/private/shared_relro.te +++ b/private/shared_relro.te @@ -1,4 +1,5 @@ typeattribute shared_relro coredomain; +typeattribute shared_relro domain_deprecated; # The shared relro process is a Java program forked from the zygote, so it # inherits from app to get basic permissions it needs to run. diff --git a/private/ueventd.te b/private/ueventd.te index 1bd67735e99dc6ea00b17af8db5e4f03550311df..0df587fffd1a5fd3cb81b3d3175c2a1d6a5b5014 100644 --- a/private/ueventd.te +++ b/private/ueventd.te @@ -1,3 +1,4 @@ typeattribute ueventd coredomain; +typeattribute ueventd domain_deprecated; tmpfs_domain(ueventd) diff --git a/private/uncrypt.te b/private/uncrypt.te index e4e9224d9d54910d303676d82c2a2b2ae3473f58..fde686be99d2b09fbceaafb68a45d864815ab182 100644 --- a/private/uncrypt.te +++ b/private/uncrypt.te @@ -1,3 +1,4 @@ typeattribute uncrypt coredomain; +typeattribute uncrypt domain_deprecated; init_daemon_domain(uncrypt) diff --git a/private/update_engine.te b/private/update_engine.te index 5af7db6817de8df41bab90c9bf82eacde78dcf74..f460272d1dc2bb034678c46e2935bd4415cd5ec8 100644 --- a/private/update_engine.te +++ b/private/update_engine.te @@ -1,3 +1,4 @@ typeattribute update_engine coredomain; +typeattribute update_engine domain_deprecated; init_daemon_domain(update_engine); diff --git a/private/vold.te b/private/vold.te index a6d1001d1d48325e4fff25e4c15d888023ae297a..f2416f895e98f1586ec1b7d983b259627f70f5d3 100644 --- a/private/vold.te +++ b/private/vold.te @@ -1,4 +1,5 @@ typeattribute vold coredomain; +typeattribute vold domain_deprecated; init_daemon_domain(vold) diff --git a/public/attributes b/public/attributes index 37f6ac2237d18d4b7688a6464d73af226de1037c..c9c3f8bd8efbd18f802e3fb91a646a3e1b61834d 100644 --- a/public/attributes +++ b/public/attributes @@ -10,16 +10,6 @@ attribute dev_type; # All types used for processes. attribute domain; -# Temporary attribute used for migrating permissions out of domain. -# Motivation: Domain is overly permissive. Start removing permissions -# from domain and assign them to the domain_deprecated attribute. -# Domain_deprecated and domain can initially be assigned to all -# domains. The goal is to not assign domain_deprecated to new domains -# and to start removing domain_deprecated where it's not required or -# reassigning the appropriate permissions to the inheriting domain -# when necessary. -attribute domain_deprecated; - # All types used for filesystems. # On change, update CHECK_FC_ASSERT_ATTRS # definition in tools/checkfc.c. diff --git a/public/clatd.te b/public/clatd.te index 8632087a1035046927df84192ebb906d24a79f2d..212b76edee64ff5ceb097bc7511c6757a3b074c0 100644 --- a/public/clatd.te +++ b/public/clatd.te @@ -1,5 +1,5 @@ # 464xlat daemon -type clatd, domain, domain_deprecated; +type clatd, domain; type clatd_exec, exec_type, file_type; net_domain(clatd) diff --git a/public/dex2oat.te b/public/dex2oat.te index cc8111fdc99f8d9061b9afff1cdcfe9e0972a79c..47f3bcb60bdae710edb451fcc7fcc4c90bfce0bb 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -1,5 +1,5 @@ # dex2oat -type dex2oat, domain, domain_deprecated; +type dex2oat, domain; type dex2oat_exec, exec_type, file_type; r_dir_file(dex2oat, apk_data_file) diff --git a/public/dhcp.te b/public/dhcp.te index 22351edccf36024f4ccf65731d00a1eb690878b7..2b54b7f8850443e9ec5b18b08cca0bedfb6eabbc 100644 --- a/public/dhcp.te +++ b/public/dhcp.te @@ -1,4 +1,4 @@ -type dhcp, domain, domain_deprecated; +type dhcp, domain; type dhcp_exec, exec_type, file_type; net_domain(dhcp) diff --git a/public/dumpstate.te b/public/dumpstate.te index 503f35962f28652627208c7b320d74b867ab31cf..4f66ffb4a7daca1ce0d5ade9aff15219678781e8 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -1,5 +1,5 @@ # dumpstate -type dumpstate, domain, domain_deprecated, mlstrustedsubject; +type dumpstate, domain, mlstrustedsubject; type dumpstate_exec, exec_type, file_type; net_domain(dumpstate) diff --git a/public/fingerprintd.te b/public/fingerprintd.te index 57cde1db053fc2b4271aadf4c22fed6afa8310d0..5dd18a352a26df126f30b06f2ac5d4d1eaf66d4e 100644 --- a/public/fingerprintd.te +++ b/public/fingerprintd.te @@ -1,4 +1,4 @@ -type fingerprintd, domain, domain_deprecated; +type fingerprintd, domain; type fingerprintd_exec, exec_type, file_type; binder_use(fingerprintd) diff --git a/public/fsck.te b/public/fsck.te index 8f3b17a4ad5b3132803b1d38a6011a2e88803a78..b682a877f0de5c1d6b7eac98fad9e3fc2e1eeb19 100644 --- a/public/fsck.te +++ b/public/fsck.te @@ -1,5 +1,5 @@ # Any fsck program run by init -type fsck, domain, domain_deprecated; +type fsck, domain; type fsck_exec, exec_type, file_type; # /dev/__null__ created by init prior to policy load, diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te index a9dd8055a6ea9112f157f4999be5f936b2105c66..e2aceb87b00b4abc470fb121a7502951388c5312 100644 --- a/public/fsck_untrusted.te +++ b/public/fsck_untrusted.te @@ -1,5 +1,5 @@ # Any fsck program run on untrusted block devices -type fsck_untrusted, domain, domain_deprecated; +type fsck_untrusted, domain; # Inherit and use pty created by android_fork_execvp_ext(). allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; diff --git a/public/installd.te b/public/installd.te index 359356aa32fb74e3f94811e65f52d8c1b347575f..939a4810ac088dd3c76e1db1859f021cb99b8410 100644 --- a/public/installd.te +++ b/public/installd.te @@ -1,5 +1,5 @@ # installer daemon -type installd, domain, domain_deprecated; +type installd, domain; type installd_exec, exec_type, file_type; typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin }; diff --git a/public/keystore.te b/public/keystore.te index 2c3118510a4ae7facd99c1dabbaa716e9de6bbee..ee5e6757456e4c9316d76316e0e8e1e2b4ba5cd0 100644 --- a/public/keystore.te +++ b/public/keystore.te @@ -1,4 +1,4 @@ -type keystore, domain, domain_deprecated; +type keystore, domain; type keystore_exec, exec_type, file_type; # keystore daemon diff --git a/public/mtp.te b/public/mtp.te index 0ca7cea357b0fb7f247d60c2d186af97e7bf1c72..a77624064677516b6531cc1a1ba1333b744b4772 100644 --- a/public/mtp.te +++ b/public/mtp.te @@ -1,5 +1,5 @@ # vpn tunneling protocol manager -type mtp, domain, domain_deprecated; +type mtp, domain; type mtp_exec, exec_type, file_type; net_domain(mtp) diff --git a/public/netd.te b/public/netd.te index 1694aecdf8046b6b3349e421ff61e9ed142337e9..691887fcd39e56743135d50fb66b5d054e3c6850 100644 --- a/public/netd.te +++ b/public/netd.te @@ -1,5 +1,5 @@ # network manager -type netd, domain, domain_deprecated, mlstrustedsubject; +type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; net_domain(netd) diff --git a/public/perfprofd.te b/public/perfprofd.te index f0df6a0aa89859e3923652e1f2ea8cf8b1d2ca1e..bfb8693fa47d8e98181656bae333410bee868d52 100644 --- a/public/perfprofd.te +++ b/public/perfprofd.te @@ -4,7 +4,6 @@ type perfprofd_exec, exec_type, file_type; userdebug_or_eng(` - typeattribute perfprofd domain_deprecated; typeattribute perfprofd coredomain; typeattribute perfprofd mlstrustedsubject; diff --git a/public/ppp.te b/public/ppp.te index 918ef5e7f914333441ee3ba630965f20e4207f9d..04e17f57ad708feced020739dd45d421f472d6a9 100644 --- a/public/ppp.te +++ b/public/ppp.te @@ -1,5 +1,5 @@ # Point to Point Protocol daemon -type ppp, domain, domain_deprecated; +type ppp, domain; type ppp_device, dev_type; type ppp_exec, exec_type, file_type; diff --git a/public/radio.te b/public/radio.te index f5604fd43d7ab4398bdda638f0c9306bf81f8ac8..87329d913c485eef39ed475e64875449554f2d3f 100644 --- a/public/radio.te +++ b/public/radio.te @@ -1,5 +1,5 @@ # phone subsystem -type radio, domain, domain_deprecated, mlstrustedsubject; +type radio, domain, mlstrustedsubject; net_domain(radio) bluetooth_domain(radio) diff --git a/public/recovery.te b/public/recovery.te index 7022ef7155ee332ecbb14d421608212f2db16214..6e211ac0ec997a60c95544d36f61f631b41d05e1 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -2,7 +2,7 @@ # Declare the domain unconditionally so we can always reference it # in neverallow rules. -type recovery, domain, domain_deprecated; +type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. diff --git a/public/rild.te b/public/rild.te index e4b01869064be3858275b2f1c5237c9ceb34e1d1..14420dffb5d976f54a3034700add458a19423d3d 100644 --- a/public/rild.te +++ b/public/rild.te @@ -1,5 +1,5 @@ # rild - radio interface layer daemon -type rild, domain, domain_deprecated; +type rild, domain; hal_server_domain(rild, hal_telephony) net_domain(rild) diff --git a/public/runas.te b/public/runas.te index 046165d4bfb6f212950ae224f99ff5fa84674947..cda02efab9db71e9368d2947aca1ad6d4464e408 100644 --- a/public/runas.te +++ b/public/runas.te @@ -1,4 +1,4 @@ -type runas, domain, domain_deprecated, mlstrustedsubject; +type runas, domain, mlstrustedsubject; type runas_exec, exec_type, file_type; allow runas adbd:process sigchld; diff --git a/public/sdcardd.te b/public/sdcardd.te index 3cb69be63bee5107753e91d48bb0292e9ac762dd..47a2f80611516032ba54c033b6081a025a1d236d 100644 --- a/public/sdcardd.te +++ b/public/sdcardd.te @@ -1,4 +1,4 @@ -type sdcardd, domain, domain_deprecated; +type sdcardd, domain; type sdcardd_exec, exec_type, file_type; allow sdcardd cgroup:dir create_dir_perms; diff --git a/public/shared_relro.te b/public/shared_relro.te index 9794b0b8a690f305c95ec757176c96d79c376345..91cf44d0244adc49669c7f98fee241445f37c27b 100644 --- a/public/shared_relro.te +++ b/public/shared_relro.te @@ -1,5 +1,5 @@ # Process which creates/updates shared RELRO files to be used by other apps. -type shared_relro, domain, domain_deprecated; +type shared_relro, domain; # Grant write access to the shared relro files/directory. allow shared_relro shared_relro_file:dir rw_dir_perms; diff --git a/public/ueventd.te b/public/ueventd.te index 8ec667e047a05c86c088fe7c372081314057a6f4..4c77e11ea3868efa7eb1235974966ca851fd8d69 100644 --- a/public/ueventd.te +++ b/public/ueventd.te @@ -1,6 +1,6 @@ # ueventd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. -type ueventd, domain, domain_deprecated; +type ueventd, domain; # Write to /dev/kmsg. allow ueventd kmsg_device:chr_file rw_file_perms; diff --git a/public/uncrypt.te b/public/uncrypt.te index ef1289c325c91e64adb3bac1a391a56a76ab5376..7ae7d396e4262f1db11f947dab49cfcbeace53b2 100644 --- a/public/uncrypt.te +++ b/public/uncrypt.te @@ -1,5 +1,5 @@ # uncrypt -type uncrypt, domain, domain_deprecated, mlstrustedsubject; +type uncrypt, domain, mlstrustedsubject; type uncrypt_exec, exec_type, file_type; allow uncrypt self:capability dac_override; diff --git a/public/update_engine.te b/public/update_engine.te index 69ee7c85044559d35904b8537b2df67af5fde9e8..b8f0035bdb33d89712930cd04cd9e57196876c73 100644 --- a/public/update_engine.te +++ b/public/update_engine.te @@ -1,5 +1,5 @@ # Domain for update_engine daemon. -type update_engine, domain, domain_deprecated, update_engine_common; +type update_engine, domain, update_engine_common; type update_engine_exec, exec_type, file_type; net_domain(update_engine); diff --git a/public/vold.te b/public/vold.te index 20181d113a87215ebde8ec1e4bb88c9e4b913078..81ee28c479dbb49039cbd22d58bc2289898ebe52 100644 --- a/public/vold.te +++ b/public/vold.te @@ -1,5 +1,5 @@ # volume manager -type vold, domain, domain_deprecated; +type vold, domain; type vold_exec, exec_type, file_type; # Read already opened /cache files. diff --git a/vendor/tee.te b/vendor/tee.te index f7c2cb59f544ba073691116110972ef53de82635..348d71587846cf6dd13b97310cc37226b8413594 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -1,8 +1,6 @@ ## # trusted execution environment (tee) daemon # -typeattribute tee domain_deprecated; - type tee_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(tee)