From 50e37b93ac97631dcac6961285b92af5026557af Mon Sep 17 00:00:00 2001
From: repo sync <gcondra@google.com>
Date: Tue, 14 May 2013 21:02:55 -0700
Subject: [PATCH] Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
---
app.te | 6 ++++++
bluetooth.te | 1 +
bluetoothd.te | 1 +
dbusd.te | 1 +
debuggerd.te | 1 +
dhcp.te | 1 +
drmserver.te | 1 +
file_contexts | 1 +
gpsd.te | 1 +
hci_attach.te | 1 +
init.te | 1 +
installd.te | 1 +
kernel.te | 1 +
keystore.te | 1 +
mediaserver.te | 1 +
mtp.te | 1 +
netd.te | 1 +
nfc.te | 1 +
ping.te | 1 +
ppp.te | 1 +
qemud.te | 1 +
racoon.te | 1 +
radio.te | 1 +
rild.te | 1 +
sdcardd.te | 1 +
servicemanager.te | 1 +
su.te | 1 +
surfaceflinger.te | 1 +
system.te | 1 +
te_macros | 1 +
tee.te | 1 +
ueventd.te | 1 +
vold.te | 1 +
watchdogd.te | 1 +
wpa_supplicant.te | 1 +
zygote.te | 1 +
36 files changed, 41 insertions(+)
diff --git a/app.te b/app.te
index c91f566bd..00ec45031 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,7 @@
# Apps signed with the platform key.
#
type platform_app, domain;
+permissive platform_app;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
@@ -31,6 +32,7 @@ allow platform_app download_file:file rw_file_perms;
# Apps signed with the media key.
type media_app, domain;
+permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
@@ -54,6 +56,7 @@ allow media_app download_file:dir relabelto;
# Apps signed with the shared key.
type shared_app, domain;
+permissive shared_app;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
@@ -65,6 +68,7 @@ r_dir_file(shared_app, asec_apk_file)
# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
+permissive release_app;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
@@ -76,6 +80,7 @@ bluetooth_domain(release_app)
# In order for isolated_apps to interact with apps that have levelFromUid=true
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
+permissive isolated_app;
app_domain(isolated_app)
#
@@ -94,6 +99,7 @@ allow platformappdomain sdcard_type:file create_file_perms;
# Untrusted apps.
#
type untrusted_app, domain;
+permissive untrusted_app;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
diff --git a/bluetooth.te b/bluetooth.te
index a7b9a4eb8..e87065a4b 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
type bluetooth, domain;
+permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
diff --git a/bluetoothd.te b/bluetoothd.te
index 640a1da2e..17660384a 100644
--- a/bluetoothd.te
+++ b/bluetoothd.te
@@ -1,5 +1,6 @@
# bluetoothd - bluetooth daemon
type bluetoothd, domain;
+permissive bluetoothd;
type bluetoothd_exec, exec_type, file_type;
init_daemon_domain(bluetoothd)
diff --git a/dbusd.te b/dbusd.te
index 6ffc836ef..56b1d75ab 100644
--- a/dbusd.te
+++ b/dbusd.te
@@ -1,5 +1,6 @@
# dbus daemon
type dbusd, domain;
+permissive dbusd;
type dbusd_exec, exec_type, file_type;
init_daemon_domain(dbusd)
diff --git a/debuggerd.te b/debuggerd.te
index aca499b9b..131c56c52 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,6 @@
# debugger interface
type debuggerd, domain;
+permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index b806a89a0..a6e2036ba 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,5 @@
type dhcp, domain;
+permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
type dhcp_system_file, file_type, data_file_type;
diff --git a/drmserver.te b/drmserver.te
index 0b34eb787..79f86137d 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,6 @@
# drmserver - DRM service
type drmserver, domain;
+permissive drmserver;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
diff --git a/file_contexts b/file_contexts
index 19491f961..766bf5999 100644
--- a/file_contexts
+++ b/file_contexts
@@ -172,6 +172,7 @@
/data/app-private/vmdl.*\.tmp u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/selinux(/.*)? u:object_r:tombstone_data_file:s0
# Misc data
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/gpsd.te b/gpsd.te
index 8010efa0d..a7b2f1e36 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,6 @@
# gpsd - GPS daemon
type gpsd, domain;
+permissive gpsd;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953e5..2a55d512b 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,5 @@
type hci_attach, domain;
+permissive hci_attach;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
diff --git a/init.te b/init.te
index 0f9b69730..9c1c8ce94 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,6 @@
# init switches to init domain (via init.rc).
type init, domain;
+permissive init;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
diff --git a/installd.te b/installd.te
index 428e3790d..2b983db12 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,6 @@
# installer daemon
type installd, domain;
+permissive installd;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
diff --git a/kernel.te b/kernel.te
index 66c7b13f9..5502ed88d 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,4 +1,5 @@
# Life begins with the kernel.
type kernel, domain;
+permissive kernel;
# The kernel is unconfined.
unconfined_domain(kernel)
diff --git a/keystore.te b/keystore.te
index c44d254ba..e6eacf0f9 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,5 @@
type keystore, domain;
+permissive keystore;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/mediaserver.te b/mediaserver.te
index 3e78ce2e5..7d2b9cb55 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,6 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
+permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index b458e69ba..4331cbfad 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,6 @@
# vpn tunneling protocol manager
type mtp, domain;
+permissive mtp;
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index af7d15d33..297f57031 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,6 @@
# network manager
type netd, domain;
+permissive netd;
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 9a354bb58..efb1a14b5 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,6 @@
# nfc subsystem
type nfc, domain;
+permissive nfc;
app_domain(nfc)
# NFC device access.
diff --git a/ping.te b/ping.te
index 5b8bc953b..df9e624ac 100644
--- a/ping.te
+++ b/ping.te
@@ -1,4 +1,5 @@
type ping, domain;
+permissive ping;
type ping_exec, file_type;
domain_auto_trans(shell, ping_exec, ping)
diff --git a/ppp.te b/ppp.te
index 115fb9877..85d37a7a2 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,6 @@
# Point to Point Protocol daemon
type ppp, domain;
+permissive ppp;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index ec6c816d0..ab99291b2 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,5 +1,6 @@
# qemu support daemon
type qemud, domain;
+permissive qemud;
type qemud_exec, exec_type, file_type;
init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 9f556e0b8..4cebb7bd2 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,6 @@
# IKE key management daemon
type racoon, domain;
+permissive racoon;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a119d75cf..9de8aba22 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,6 @@
# phone subsystem
type radio, domain;
+permissive radio;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/rild.te b/rild.te
index b224baca3..c2fcda91e 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,6 @@
# rild - radio interface layer daemon
type rild, domain;
+permissive rild;
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
diff --git a/sdcardd.te b/sdcardd.te
index c79854508..3e556c3a5 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,5 @@
type sdcardd, domain;
+permissive sdcardd;
type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index a78a485bb..dc0f15e13 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,6 @@
# servicemanager - the Binder context manager
type servicemanager, domain;
+permissive servicemanager;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/su.te b/su.te
index 75e621406..ca9fcc237 100644
--- a/su.te
+++ b/su.te
@@ -1,4 +1,5 @@
type su, domain;
+permissive su;
type su_exec, file_type;
domain_auto_trans(shell, su_exec, su)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a383ec11e..4244d01ed 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,6 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
+permissive surfaceflinger;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/system.te b/system.te
index 66a7afc4e..cef5ceed2 100644
--- a/system.te
+++ b/system.te
@@ -4,6 +4,7 @@
# server.
#
type system_app, domain;
+permissive system_app;
app_domain(system_app)
# Perform binder IPC to any app domain.
diff --git a/te_macros b/te_macros
index 6e6b0a479..278205e7c 100644
--- a/te_macros
+++ b/te_macros
@@ -232,6 +232,7 @@ allow $1 kernel:security setbool;
define(`security_access_policy', `
allow $1 security_file:dir r_dir_perms;
allow $1 security_file:file r_file_perms;
+allow $1 security_file:lnk_file read;
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
diff --git a/tee.te b/tee.te
index d5e8ff7d4..dad3505c6 100644
--- a/tee.te
+++ b/tee.te
@@ -2,6 +2,7 @@
# trusted execution environment (tee) daemon
#
type tee, domain;
+permissive tee;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
diff --git a/ueventd.te b/ueventd.te
index fa03acf70..271718281 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,7 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
+permissive ueventd;
tmpfs_domain(ueventd)
write_klog(ueventd)
security_access_policy(ueventd)
diff --git a/vold.te b/vold.te
index 8dd213714..fa76a55f2 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,6 @@
# volume manager
type vold, domain;
+permissive vold;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 18824ccf2..76f8244d2 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,6 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
+permissive watchdogd;
allow watchdogd rootfs:file { entrypoint r_file_perms };
allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name };
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index be1bf2563..2c4ea6044 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,5 +1,6 @@
# wpa - wpa supplicant or equivalent
type wpa, domain;
+permissive wpa;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 773318ea1..90a9b3dca 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,6 @@
# zygote
type zygote, domain;
+permissive zygote;
type zygote_exec, exec_type, file_type;
init_daemon_domain(zygote)
--
GitLab