Restore app_domain macro and move to private use.
app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to
enable compilation by hiding type_transition rules from public policy. These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware. Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.
(cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6)
Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
diff --git a/private/bluetooth.te b/private/bluetooth.te
index e8c0e76..40ce8c1 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -3,7 +3,4 @@
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-# app_domain macro fallout
-tmpfs_domain(bluetooth)
-# Map with PROT_EXEC.
-allow bluetooth bluetooth_tmpfs:file execute;
+app_domain(bluetooth)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0a9901a..a277752 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(isolated_app)
-# Map with PROT_EXEC.
-allow isolated_app isolated_app_tmpfs:file execute;
+app_domain(isolated_app)
# Read system properties managed by webview_zygote.
allow isolated_app webview_zygote_tmpfs:file read;
diff --git a/private/nfc.te b/private/nfc.te
index 33b5477..52b0d20 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1 @@
-# app_domain_fallout
-tmpfs_domain(nfc)
-# Map with PROT_EXEC.
-allow nfc nfc_tmpfs:file execute;
+app_domain(nfc)
\ No newline at end of file
diff --git a/private/platform_app.te b/private/platform_app.te
index e478039..93cdc75 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(platform_app)
-# Map with PROT_EXEC.
-allow platform_app platform_app_tmpfs:file execute;
+app_domain(platform_app)
\ No newline at end of file
diff --git a/private/priv_app.te b/private/priv_app.te
index 9a535d9..4e7e330 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(priv_app)
-# Map with PROT_EXEC.
-allow priv_app priv_app_tmpfs:file execute;
+app_domain(priv_app)
# Allow the allocation and use of ptys
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
diff --git a/private/radio.te b/private/radio.te
index 7218b23..dede5d7 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(radio)
-# Map with PROT_EXEC.
-allow radio radio_tmpfs:file execute;
+app_domain(radio)
\ No newline at end of file
diff --git a/private/shared_relro.te b/private/shared_relro.te
index c3c43ab..b1ba0ff 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,3 @@
-# app_domain fallout
-tmpfs_domain(shared_relro)
-# Map with PROT_EXEC.
-allow shared_relro shared_relro_tmpfs:file execute;
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 802ffc0..333265f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,7 +4,6 @@
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
-# app_domain fallout
-tmpfs_domain(shell)
-# Map with PROT_EXEC.
-allow shell shell_tmpfs:file execute;
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
diff --git a/private/su.te b/private/su.te
index 3dda00f..b594ebe 100644
--- a/private/su.te
+++ b/private/su.te
@@ -11,8 +11,5 @@
# su is also permissive to permit setenforce.
permissive su;
- # app_domain fallout
- tmpfs_domain(su)
- # Map with PROT_EXEC.
- allow su su_tmpfs:file execute;
+ app_domain(su)
')
diff --git a/private/system_app.te b/private/system_app.te
index 4319c97..f6b0305 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(system_app)
-# Map with PROT_EXEC.
-allow system_app system_app_tmpfs:file execute;
+app_domain(system_app)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c9ed000..b142ebf 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(untrusted_app)
-# Map with PROT_EXEC.
-allow untrusted_app untrusted_app_tmpfs:file execute;
+app_domain(untrusted_app)
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 738d9c2..75a11f4 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth subsystem
type bluetooth, domain, domain_deprecated;
-app_domain(bluetooth)
+
net_domain(bluetooth)
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 0fe2e61..f2216ee 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -10,7 +10,6 @@
###
type isolated_app, domain;
-app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { append read write getattr lock };
diff --git a/public/nfc.te b/public/nfc.te
index 3d40867..f887c28 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,6 +1,6 @@
# nfc subsystem
type nfc, domain, domain_deprecated;
-app_domain(nfc)
+
net_domain(nfc)
binder_service(nfc)
diff --git a/public/platform_app.te b/public/platform_app.te
index 8a988e5..6484319 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,7 +3,7 @@
###
type platform_app, domain, domain_deprecated;
-app_domain(platform_app)
+
# Access the network.
net_domain(platform_app)
# Access bluetooth.
diff --git a/public/priv_app.te b/public/priv_app.te
index 9ee347f..94d6717 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -2,7 +2,7 @@
### A domain for further sandboxing privileged apps.
###
type priv_app, domain, domain_deprecated;
-app_domain(priv_app)
+
# Access the network.
net_domain(priv_app)
# Access bluetooth.
diff --git a/public/radio.te b/public/radio.te
index b2a878e..07444af 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,6 @@
# phone subsystem
type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
+
net_domain(radio)
bluetooth_domain(radio)
binder_service(radio)
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 30af14a..9794b0b 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,10 +1,6 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain, domain_deprecated;
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
allow shared_relro shared_relro_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index a39b39f..38a890c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -5,10 +5,6 @@
# Create and use network sockets.
net_domain(shell)
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
# logcat
read_logd(shell)
control_logd(shell)
diff --git a/public/su.te b/public/su.te
index 0f81325..38d7f5c 100644
--- a/public/su.te
+++ b/public/su.te
@@ -9,7 +9,6 @@
# Add su to various domains
net_domain(su)
- app_domain(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
diff --git a/public/system_app.te b/public/system_app.te
index 6be6731..9eddf65 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -4,7 +4,7 @@
# server.
#
type system_app, domain, domain_deprecated;
-app_domain(system_app)
+
net_domain(system_app)
binder_service(system_app)
diff --git a/public/te_macros b/public/te_macros
index 0a20d92..6a1a5ff 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -95,6 +95,10 @@
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
')
#####################################
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index ac86330..48662f3 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -21,7 +21,7 @@
###
type untrusted_app, domain;
-app_domain(untrusted_app)
+
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)