Merge "Delete unconfined domain"

e4da594d · Nick Kralevich · Gerrit Code Review · 07e73489 · f435a8e5 · e4da594d
Commit e4da594d authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -2,22 +2,6 @@ LOCAL_PATH:= $(call my-dir)

 include $(CLEAR_VARS)

-# Force permissive domains to be unconfined+enforcing?
-#
-# During development, this should be set to false.
-# Permissive means permissive.
-#
-# When we're close to a release and SELinux new policy development
-# is frozen, we should flip this to true. This forces any currently
-# permissive domains into unconfined+enforcing.
-#
-FORCE_PERMISSIVE_TO_UNCONFINED ?= false
-
-ifeq ($(TARGET_BUILD_VARIANT),user)
-  # User builds are always forced unconfined+enforcing
-  FORCE_PERMISSIVE_TO_UNCONFINED := true
-endif
-
 # SELinux policy version.
 # Must be <= /selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
@@ -114,7 +98,6 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

@@ -142,7 +125,6 @@ $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
 		-D target_recovery=true \
 		-s $^ > $@

@@ -171,7 +153,6 @@ $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
 	mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=user \
-		-D force_permissive_to_unconfined=true \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit


--- a/attributes
+++ b/attributes
@@ -56,9 +56,6 @@ attribute mlstrustedsubject;
 # i.e. files that can be read by lower and written by higher
 attribute mlstrustedobject;

-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
 # All domains used for apps.
 attribute appdomain;


--- a/te_macros
+++ b/te_macros
@@ -70,17 +70,6 @@ allow $1 $2:dir r_dir_perms;
 allow $1 $2:{ file lnk_file } r_file_perms;
 ')

-#####################################
-# unconfined_domain(domain)
-# Allow the specified domain to perform more privileged operations
-# than would be typically allowed. Please see the comments at the
-# top of unconfined.te.
-#
-define(`unconfined_domain', `
-typeattribute $1 mlstrustedsubject;
-typeattribute $1 unconfineddomain;
-')
-
 #####################################
 # tmpfs_domain(domain)
 # Define and allow access to a unique type for
@@ -307,17 +296,6 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))

-#####################################
-# permissive_or_unconfined
-# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
-# and "unconfined($1)" otherwise.
-#
-# This is used for experimental domains, where we want to ensure
-# the domain is unconfined+enforcing once new SELinux policy development
-# has ceased.
-#
-define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
-
 #####################################
 # write_logd(domain)
 # Ability to write to android log

--- a/unconfined.te
+++ b/unconfined.te
-#######################################################
-#
-# This is the unconfined template. This template is the base policy
-# which is used by daemons and other privileged components of
-# Android.
-#
-# Historically, this template was called "unconfined" because it
-# allowed the domain to do anything it wanted. Over time,
-# this has changed, and will continue to change in the future.
-# The rules in this file will be removed when no remaining
-# unconfined domains require it, or when the rules contradict
-# Android security best practices. Domains which need rules not
-# provided by the unconfined template should add them directly to
-# the relevant policy.
-#
-# The use of this template is discouraged.
-######################################################
-
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
-allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:fd *;
-allow unconfineddomain domain:dir r_dir_perms;
-allow unconfineddomain domain:lnk_file r_file_perms;
-allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
-allow unconfineddomain domain:{
-    socket
-    netlink_socket
-    key_socket
-    unix_stream_socket
-    unix_dgram_socket
-    netlink_route_socket
-    netlink_firewall_socket
-    netlink_tcpdiag_socket
-    netlink_nflog_socket
-    netlink_xfrm_socket
-    netlink_selinux_socket
-    netlink_audit_socket
-    netlink_ip6fw_socket
-    netlink_dnrt_socket
-    netlink_kobject_uevent_socket
-    tun_socket
-} *;
-allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain {
-    file_type
-    -keystore_data_file
-    -property_data_file
-    -system_file
-    -exec_type
-    -security_file
-    -shell_data_file
-    -app_data_file
-    -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute };
-allow unconfineddomain exec_type:lnk_file r_file_perms;
-allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute };
-allow unconfineddomain system_file:lnk_file r_file_perms;
-allow unconfineddomain {
-    fs_type
-    -usermodehelper
-    -proc_security
-    -contextmount_type
-    -rootfs
-    -sdcard_type
-    -device
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {
-    file_type
-    -keystore_data_file
-    -property_data_file
-    -system_file
-    -exec_type
-    -security_file
-    -shell_data_file
-    -app_data_file
-    -unlabeled
-    -dalvikcache_data_file
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain rootfs:file execute;
-allow unconfineddomain contextmount_type:dir r_dir_perms;
-allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
-allow unconfineddomain node_type:node *;
-allow unconfineddomain netif_type:netif *;
-allow unconfineddomain domain:peer recv;
-allow unconfineddomain { domain -init }:binder { call transfer };