From 84d88314e0cc7248589904973422dda9e1dbcce4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 21 Oct 2013 13:32:31 -0700
Subject: [PATCH] Clarify the expectations for the unconfined template.

In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f
---
 te_macros     |  4 +++-
 unconfined.te | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index 9f885bf4f..c7c93aad8 100644
--- a/te_macros
+++ b/te_macros
@@ -72,7 +72,9 @@ allow $1 $2:{ file lnk_file } r_file_perms;
 
 #####################################
 # unconfined_domain(domain)
-# Allow the specified domain to do anything.
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
 #
 define(`unconfined_domain', `
 typeattribute $1 mlstrustedsubject;
diff --git a/unconfined.te b/unconfined.te
index 9b1b992e5..80f88b7bc 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,3 +1,21 @@
+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;
-- 
GitLab