Move domain_deprecated into private policy

This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b (cherry picked from commit 76aab82c)

Move domain_deprecated into private policy
7c34e83f · Jeff Vander Stoep · 83f8cde4 · 7c34e83f · 7c34e83f · 7c34e83f
Commit 7c34e83f authored 7 years ago by Jeff Vander Stoep
--- a/public/runas.te
+++ b/public/runas.te
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
 type runas_exec, exec_type, file_type;

 allow runas adbd:fd use;

--- a/public/sdcardd.te
+++ b/public/sdcardd.te
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
 type sdcardd_exec, exec_type, file_type;

 allow sdcardd cgroup:dir create_dir_perms;

--- a/public/shared_relro.te
+++ b/public/shared_relro.te
 # Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;

 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;

--- a/public/tee.te
+++ b/public/tee.te
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain, domain_deprecated;
+type tee, domain;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;

--- a/public/ueventd.te
+++ b/public/ueventd.te
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;

 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;

--- a/public/uncrypt.te
+++ b/public/uncrypt.te
 # uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;

 allow uncrypt self:capability dac_override;

--- a/public/update_engine.te
+++ b/public/update_engine.te
 # Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;


--- a/public/vold.te
+++ b/public/vold.te
 # volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
 type vold_exec, exec_type, file_type;

 # Read already opened /cache files.