Make all domains unconfined.

This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

Make all domains unconfined.
77d4731e · repo sync · 42cabf34 · 77d4731e · 77d4731e · 42cabf34
Commit 77d4731e authored 12 years ago by repo sync
--- a/adbd.te
+++ b/adbd.te
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
-allow adbd adb_device:chr_file rw_file_perms;
-allow adbd qemu_device:chr_file rw_file_perms;
-allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin };
-allow adbd rootfs:file { r_file_perms entrypoint };
-allow adbd init:process sigchld;
-allow adbd self:tcp_socket *;
-allow adbd self:unix_stream_socket *;
-allow adbd node:tcp_socket node_bind;
-allow adbd port:tcp_socket name_bind;
-allow adbd devpts:chr_file rw_file_perms;
-allow adbd cgroup:dir { write add_name create };
-allow adbd labeledfs:filesystem remount;
-allow adbd shell_data_file:dir rw_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-allow adbd graphics_device:dir search;
-allow adbd graphics_device:chr_file r_file_perms;
-# XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
-allow adbd system_file:file rx_file_perms;
-unix_socket_connect(adbd, vold, vold)
-# Talk to init via the property socket.
-unix_socket_connect(adbd, property, init)
-
-# Run sh in its own domain.
+type adbd, domain;
+permissive adbd;
+unconfined_domain(adbd)
 domain_auto_trans(adbd, shell_exec, shell)
-# Do not sanitize the environment of the shell.
-allow adbd shell:process noatsecure;
-
-# XXX Mostly to access system properties and keys- maybe those should be their own type?
-allow adbd system_data_file:file create_file_perms;
-allow adbd system_data_file:dir create_dir_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
+# this is an entrypoint
+allow adbd rootfs:file entrypoint;
--- a/app.te
+++ b/app.te
@@ -14,21 +14,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app shell_data_file:lnk_file read;
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-allow platform_app download_file:file rw_file_perms;
+unconfined_domain(platform_app)

 # Apps signed with the media key.
 type media_app, domain;
@@ -37,22 +23,7 @@ app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir
-allow media_app rootfs:file r_file_perms;
-# Allow platform apps to mark platform app data files as download files
-allow media_app platform_app_data_file:dir relabelfrom;
-allow media_app download_file:dir relabelto;
+unconfined_domain(media_app)

 # Apps signed with the shared key.
 type shared_app, domain;
@@ -63,8 +34,7 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-# ASEC
-r_dir_file(shared_app, asec_apk_file)
+unconfined_domain(shared_app)

 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
@@ -75,6 +45,7 @@ platform_app_domain(release_app)
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
+unconfined_domain(release_app)

 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -82,18 +53,7 @@ bluetooth_domain(release_app)
 type isolated_app, domain, mlstrustedsubject;
 permissive isolated_app;
 app_domain(isolated_app)
-
-#
-# Rules for platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-
+unconfined_domain(isolated_app)

 #
 # Untrusted apps.
@@ -103,101 +63,4 @@ permissive untrusted_app;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-allow untrusted_app tun_device:chr_file rw_file_perms;
-
-# Internal SDCard rw access.
-bool app_internal_sdcard_rw true;
-if (app_internal_sdcard_rw) {
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-}
-# External SDCard rw access.
-bool app_external_sdcard_rw true;
-if (app_external_sdcard_rw) {
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-}
-
-#
-# Rules for all app domains.
-#
-
-# Allow apps to connect to the keystore
-unix_socket_connect(appdomain, keystore, keystore)
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Communicate over a FIFO or socket created by the system_server.
-allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
-
-# Communicate over a socket created by surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-
-# App sandbox file accesses.
-allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
-
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC.  Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute open };
-
-# Execute the shell or other system executables.
-allow appdomain shell_exec:file rx_file_perms;
-allow appdomain system_file:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { read write };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow { appdomain isolated_app } backup_data_file:file { read write };
-allow { appdomain isolated_app } cache_backup_file:file { read write };
-# Backup ability using 'adb backup'
-allow { appdomain isolated_app } system_data_file:lnk_file getattr;
-
-# Allow all applications to read downloaded files
-allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
-
-# ASEC
-allow untrusted_app asec_apk_file:dir { getattr };
-allow untrusted_app asec_apk_file:file r_file_perms;
\ No newline at end of file
+unconfined_domain(untrusted_app)
--- a/assert.te
+++ b/assert.te
-# Policy assertions.
-# These neverallow rules are checked by checkpolicy at policy build time.
-# checkpolicy will refuse to generate the kernel policy if any of these
-# assertions fail.
-
-# Superuser capabilities.
-# Only exception is sys_nice for binder, might not be necessary.
-neverallow { appdomain -bluetooth } self:capability ~sys_nice;
-neverallow bluetooth self:capability ~{ sys_nice net_admin };
-neverallow appdomain self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Kernel memory access.
-neverallow appdomain kmem_device:chr_file { read write };
-
-# Setting SELinux enforcing status or booleans.
-# Conditionally allowed to system_app for SEAndroidManager.
-neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
-# Privileged netlink socket interfaces.
-neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
-
-# Access to /proc/pid entries for any non-app domain.
-# Violated by cts.te rules so commented out for now.
-#neverallow appdomain { domain - appdomain }:dir search;
-#neverallow appdomain { domain - appdomain }:lnk_file read;
-#neverallow appdomain { domain - appdomain }:file { read write };
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Transition to a non-app domain.
-# Shell excluded since it has a transition to runas.
-neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
-
-# Map low memory.
-neverallow appdomain self:memprotect mmap_zero;
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set write;
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts.  Define a different type for portions
-# that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,37 +2,4 @@
 type bluetooth, domain;
 permissive bluetooth;
 app_domain(bluetooth)
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-# Device accesses.
-allow bluetooth { hci_attach_dev }:chr_file rw_file_perms;
-allow bluetooth input_device:chr_file write;
-
-# sysfs access.
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow bluetooth self:capability net_admin;
-
-# Other domains that can create and use bluetooth sockets.
-# SELinux does not presently define a specific socket class for
-# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
-allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
-
-# tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
-allow bluetooth efs_file:dir search;
-
-# Talk to init over the property socket.
-unix_socket_connect(bluetooth, property, init)
-
-# Property Service
-allow bluetooth bluetooth_prop:property_service set;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+unconfined_domain(bluetooth)
--- a/bluetoothd.te
+++ b/bluetoothd.te
@@ -4,8 +4,4 @@ permissive bluetoothd;
 type bluetoothd_exec, exec_type, file_type;

 init_daemon_domain(bluetoothd)
-allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
-allow bluetoothd self:socket *;
-allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
-allow bluetoothd bluetoothd_data_file:file create_file_perms;
-unix_socket_connect(bluetoothd, dbus, dbusd)
+unconfined_domain(bluetoothd)
--- a/cts.te
+++ b/cts.te
-#
-# Rules to allow the Android CTS to run.
-# Do not enable in production policy.
-#
-
-bool android_cts false;
-if (android_cts) {
-# For TestDeviceSetup (RootProcessScanner).
-# Reads /proc/pid/status and statm entries to check that
-# no unexpected root processes are running.
-# Also for android.security.cts.VoldExploitTest.
-# Requires ability to read /proc/pid/cmdline of vold.
-allow appdomain domain:dir r_dir_perms;
-allow appdomain domain:{ file lnk_file } r_file_perms;
-
-# Will still fail when trying to read other app /proc/pid
-# entries due to MLS constraints.  Just silence the denials.
-dontaudit appdomain appdomain:dir r_dir_perms;
-dontaudit appdomain appdomain:file r_file_perms;
-
-# For android.permission.cts.FileSystemPermissionTest.
-# Walk the file tree, stat any file in order to check file permissions.
-allow appdomain fs_type:dir r_dir_perms;
-allow appdomain dev_type:dir r_dir_perms;
-allow appdomain file_type:dir_file_class_set getattr;
-allow appdomain dev_type:dir_file_class_set getattr;
-allow appdomain fs_type:dir_file_class_set getattr;
-
-# Tries to open /dev/alarm for writing but expects failure.
-dontaudit appdomain alarm_device:chr_file write;
-
-# For android.security.cts.VoldExploitTest.
-# Tries to create and use a netlink kobject uevent socket
-# to test for a vulnerable vold.
-dontaudit appdomain self:netlink_kobject_uevent_socket create;
-
-# Tries to override DAC restrictions but expects to fail.
-dontaudit shell self:capability dac_override;
-}
--- a/dbusd.te
+++ b/dbusd.te
@@ -4,6 +4,4 @@ permissive dbusd;
 type dbusd_exec, exec_type, file_type;

 init_daemon_domain(dbusd)
-# Reads /proc/pid/cmdline of clients
-r_dir_file(dbusd, system)
-r_dir_file(dbusd, bluetoothd)
+unconfined_domain(dbusd)
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -4,17 +4,4 @@ permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;

 init_daemon_domain(debuggerd)
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
-security_access_policy(debuggerd)
-allow debuggerd system_data_file:dir create_dir_perms;
-allow debuggerd system_data_file:dir relabelfrom;
-allow debuggerd tombstone_data_file:dir relabelto;
-allow debuggerd tombstone_data_file:dir create_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd domain:process { sigstop signal };
-allow debuggerd exec_type:file r_file_perms;
+unconfined_domain(debuggerd)
--- a/dhcp.te
+++ b/dhcp.te
@@ -6,29 +6,6 @@ type dhcp_system_file, file_type, data_file_type;

 init_daemon_domain(dhcp)
 net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
-allow dhcp system_prop:property_service set ;
-allow dhcp dhcp_system_file:file rx_file_perms;
-allow dhcp dhcp_system_file:dir r_dir_perms;
-unix_socket_connect(dhcp, property, init)
+unconfined_domain(dhcp)

 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
-# netdev-bt-pan driver loading
-allow dhcp kernel:system module_request;
-
-allow dhcp tty_device:chr_file { rw_file_perms };
--- a/domain.te
+++ b/domain.te
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Read access to properties mapping.
-allow domain kernel:fd use;
-allow domain tmpfs:file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain tmpfs:dir r_dir_perms;
-
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
-# Intra-domain accesses.
-allow domain self:process ~{ execstack execheap };
-allow domain self:fd use;
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-allow domain system:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-allow domain adbd:unix_stream_socket connectto;
-allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr read write shutdown };
-
-# Talk to debuggerd.
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
-# Root fs.
-allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file read;
-allow domain devpts:dir search;
-allow domain device:file read;
-allow domain socket_device:dir search;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file r_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-allow domain binder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain powervr_device:chr_file rw_file_perms;
-allow domain log_device:dir search;
-allow domain log_device:chr_file rw_file_perms;
-allow domain nv_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file r_file_perms;
-allow domain random_device:chr_file r_file_perms;
-allow domain properties_device:file r_file_perms;
-
-# Filesystem accesses.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# System file accesses.
-allow domain system_file:dir r_dir_perms;
-allow domain system_file:file r_file_perms;
-allow domain system_file:file execute;
-allow domain system_file:lnk_file read;
-
-# Read files already opened under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file read;
-
-# Read apk files under /data/app.
-allow domain apk_data_file:dir search;
-allow domain apk_data_file:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow domain dalvikcache_data_file:dir { search getattr };
-allow domain dalvikcache_data_file:file r_file_perms;
-
-# Read already opened /cache files.
-allow domain cache_file:dir r_dir_perms;
-allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file read;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-#Allow access to ion memory allocation device
-allow domain ion_device:chr_file rw_file_perms;
-
-# For /sys/qemu_trace files in the emulator.
-bool in_qemu false;
-if (in_qemu) {
-allow domain sysfs:file rw_file_perms;
-}
-allow domain sysfs_writable:file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain, proc)
-r_dir_file(domain, sysfs)
-r_dir_file(domain, inotify)
-r_dir_file(domain, cgroup)
-
-# debugfs access
-bool debugfs false;
-if (debugfs) {
-allow domain debugfs:dir r_dir_perms;
-allow domain debugfs:file rw_file_perms;
-} else {
-dontaudit domain debugfs:dir r_dir_perms;
-dontaudit domain debugfs:file  rw_file_perms;
-}
-
-# security files
-allow domain security_file:dir { search getattr };
-allow domain security_file:file getattr;
--- a/drmserver.te
+++ b/drmserver.te
@@ -4,29 +4,4 @@ permissive drmserver;
 type drmserver_exec, exec_type, file_type;

 init_daemon_domain(drmserver)
-typeattribute drmserver mlstrustedsubject;
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-# Talk to the tee
-allow drmserver tee:unix_stream_socket { connectto };
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver apk_data_file:dir { write add_name remove_name };
-allow drmserver apk_data_file:sock_file { create setattr unlink };
-allow drmserver sdcard_type:file { read write getattr };
-allow drmserver efs_file:file { open read getattr };
+unconfined_domain(drmserver)
--- a/gpsd.te
+++ b/gpsd.te
@@ -5,13 +5,8 @@ type gpsd_exec, exec_type, file_type;

 init_daemon_domain(gpsd)
 net_domain(gpsd)
-allow gpsd gps_data_file:dir rw_dir_perms;
-allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
+unconfined_domain(gpsd)
 # Socket is created by the daemon, not by init, and under /data/gps,
 # not under /dev/socket.
 type_transition gpsd gps_data_file:sock_file gps_socket;
-allow gpsd gps_socket:sock_file create_file_perms;
-# XXX Label sysfs files with a specific type?
-allow gpsd sysfs:file rw_file_perms;

-allow gpsd gps_device:chr_file rw_file_perms;
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -3,8 +3,4 @@ permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;

 init_daemon_domain(hci_attach)
-
-allow hci_attach kernel:system module_request;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach bluetooth_efs_file:dir r_dir_perms;
-allow hci_attach bluetooth_efs_file:file r_file_perms;
+unconfined_domain(hci_attach)
--- a/init.te
+++ b/init.te
@@ -4,3 +4,5 @@ permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
+# add a rule to handle unlabelled mounts
+allow init unlabeled:filesystem mount;
--- a/init_shell.te
+++ b/init_shell.te
 # Restricted domain for shell processes spawned by init
-type init_shell, domain, mlstrustedsubject;
+type init_shell, domain;
+permissive init_shell;
 domain_auto_trans(init, shell_exec, init_shell)
-allow init_shell rootfs:dir r_dir_perms;
-allow init_shell devpts:chr_file rw_file_perms;
-allow init_shell tty_device:chr_file rw_file_perms;
-allow init_shell console_device:chr_file rw_file_perms;
-allow init_shell input_device:chr_file rw_file_perms;
-allow init_shell system_file:file x_file_perms;
-allow init_shell shell_exec:file rx_file_perms;
-allow init_shell zygote_exec:file rx_file_perms;
-
-# setprop toolbox command
-unix_socket_connect(init_shell, property, init)
+unconfined_domain(init_shell)
--- a/installd.te
+++ b/installd.te
@@ -4,24 +4,4 @@ permissive installd;
 type installd_exec, exec_type, file_type;

 init_daemon_domain(installd)
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd system_data_file:file create_file_perms;
-allow installd system_data_file:lnk_file create;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd data_file_type:dir create_dir_perms;
-allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file } { getattr unlink };
-allow installd apk_data_file:file r_file_perms;
-allow installd apk_tmp_file:file r_file_perms;
-allow installd system_file:file x_file_perms;
-allow installd cgroup:dir create_dir_perms;
-dontaudit installd self:capability sys_admin;
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
-# ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
-allow installd app_data_file:lnk_file { create setattr };
-allow installd asec_apk_file:file r_file_perms;
+unconfined_domain(installd)
--- a/keystore.te
+++ b/keystore.te
@@ -4,9 +4,4 @@ type keystore_exec, exec_type, file_type;

 # keystore daemon
 init_daemon_domain(keystore)
-binder_use(keystore)
-binder_service(keystore)
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
+unconfined_domain(keystore)
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -3,52 +3,6 @@ type mediaserver, domain;
 permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;

-typeattribute mediaserver mlstrustedsubject;
-
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unix_socket_connect(mediaserver, property, init)
-
-r_dir_file(mediaserver, sdcard_type)
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver kernel:system module_request;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
-allow mediaserver sdcard_type:file write;
-allow mediaserver camera_device:chr_file rw_file_perms;
-allow mediaserver graphics_device:chr_file rw_file_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver audio_device:chr_file rw_file_perms;
-allow mediaserver qemu_device:chr_file rw_file_perms;
-allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver audio_prop:property_service set;
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file rw_file_perms;
-
-# XXX Why?
-allow mediaserver apk_data_file:file { read getattr };
-
-# To use remote processor
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system:fifo_file r_file_perms;
-
-# Camera calibration
-allow mediaserver camera_calibration_file:dir r_dir_perms;
-allow mediaserver camera_calibration_file:file r_file_perms;
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+unconfined_domain(mediaserver)
--- a/mtp.te
+++ b/mtp.te
@@ -5,12 +5,4 @@ type mtp_exec, exec_type, file_type;

 init_daemon_domain(mtp)
 net_domain(mtp)
-
-# pptp policy
-allow mtp self:tcp_socket { create setopt connect write read };
-allow mtp self:socket { create connect };
-allow mtp self:rawip_socket create;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
-allow mtp vpn_data_file:dir search;
+unconfined_domain(mtp)
--- a/net.te
+++ b/net.te
@@ -2,17 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-# Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)