diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 0a39b96cba6014fcaf27a0fb02e79b5a7190b6f0..66acfd691772574a3305280abc82010cc43e3d5b 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -2,6 +2,7 @@
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
@@ -11,20 +12,26 @@ auditallow {
-vold
-zygote
} tmpfs:dir r_dir_perms;
+')
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
+')
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
+userdebug_or_eng(`
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+')
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
@@ -60,10 +67,12 @@ auditallow {
-vold
-zygote
} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+')
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
@@ -85,10 +94,12 @@ auditallow {
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
+')
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
@@ -102,11 +113,13 @@ auditallow {
-system_server
-tee
} system_data_file:lnk_file r_file_perms;
+')
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
@@ -128,11 +141,13 @@ auditallow {
-installd
-system_server
} apk_data_file:lnk_file r_file_perms;
+')
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-system_server
@@ -154,20 +169,34 @@ auditallow {
-system_server
-vold
} cache_file:lnk_file r_file_perms;
+')
-#Allow access to ion memory allocation device
+# Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+userdebug_or_eng(`
+auditallow {
+ domain_deprecated
+ -appdomain
+ -fingerprintd
+ -keystore
+ -surfaceflinger
+ -system_server
+ -tee
+ -vold
+ -zygote
+} ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
+')
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
-#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
+
+userdebug_or_eng(`
auditallow {
domain_deprecated
-fsck
@@ -268,10 +297,12 @@ auditallow {
-system_server
-vold
} proc_meminfo:file r_file_perms;
+')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
+userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
@@ -296,3 +327,4 @@ auditallow {
-ueventd
-zygote
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+')