Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
diff --git a/private/attributes b/private/attributes
new file mode 100644
index 0000000..fcbfecf
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/private/clatd.te b/private/clatd.te
index 5ba0fc5..c09398d 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1 +1,2 @@
typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484..89c3970 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,2 @@
typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7..6a6a139 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,5 @@
typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/public/domain_deprecated.te b/private/domain_deprecated.te
similarity index 98%
rename from public/domain_deprecated.te
rename to private/domain_deprecated.te
index 7a26bec..aefb724 100644
--- a/public/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -79,7 +79,6 @@
-fingerprintd
-installd
-keystore
- -rild
-surfaceflinger
-system_server
-update_engine
@@ -193,7 +192,6 @@
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-sdcardd
-system_server
-update_engine
@@ -203,7 +201,6 @@
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -213,7 +210,6 @@
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -227,7 +223,6 @@
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -241,7 +236,6 @@
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -259,7 +253,6 @@
-installd
-keystore
-netd
- -rild
-surfaceflinger
-system_server
-zygote
@@ -274,7 +267,6 @@
-installd
-keystore
-netd
- -rild
-surfaceflinger
-system_server
-zygote
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f8152..0fe2adf 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index eb73ef8..0c1dfaa 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,4 @@
typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329..e846797 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,4 @@
typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf0..2a1a39f 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,2 @@
typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/installd.te b/private/installd.te
index f74843d..d726e7d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,4 +1,5 @@
typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
init_daemon_domain(installd)
diff --git a/private/keystore.te b/private/keystore.te
index a9647c6..1e56338 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,4 +1,5 @@
typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
diff --git a/private/mtp.te b/private/mtp.te
index 732e111..3cfda0b 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,4 @@
typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index f501f25..3a824af 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
init_daemon_domain(netd)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd..a655f1d 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,4 +1,5 @@
userdebug_or_eng(`
typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
init_daemon_domain(perfprofd)
')
diff --git a/private/ppp.te b/private/ppp.te
index 968b221..9b301f4 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,4 @@
typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/radio.te b/private/radio.te
index b4f5390..83b5b41 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1,5 @@
typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
app_domain(radio)
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7..b7b2847 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,2 @@
typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index ef31aac..73a91ff 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,5 @@
typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 126d643..ac6bb4e 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,4 @@
typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206..8d06294 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,5 @@
typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd6773..0df587f 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,4 @@
typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224..fde686b 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,4 @@
typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6..f460272 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,4 @@
typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
init_daemon_domain(update_engine);
diff --git a/private/vold.te b/private/vold.te
index a6d1001..f2416f8 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,4 +1,5 @@
typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
init_daemon_domain(vold)
diff --git a/public/attributes b/public/attributes
index c449a08..c1c1c0b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,16 +10,6 @@
# All types used for processes.
attribute domain;
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/clatd.te b/public/clatd.te
index 8632087..212b76e 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,5 +1,5 @@
# 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index cc8111f..47f3bcb 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
diff --git a/public/dhcp.te b/public/dhcp.te
index 22351ed..2b54b7f 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
type dhcp_exec, exec_type, file_type;
net_domain(dhcp)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 503f359..4f66ffb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 57cde1d..5dd18a3 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
type fingerprintd_exec, exec_type, file_type;
binder_use(fingerprintd)
diff --git a/public/fsck.te b/public/fsck.te
index 8f3b17a..b682a87 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
type fsck_exec, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index a9dd805..e2aceb8 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/public/installd.te b/public/installd.te
index 359356a..939a481 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,5 +1,5 @@
# installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
diff --git a/public/keystore.te b/public/keystore.te
index 2c31185..ee5e675 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/public/mtp.te b/public/mtp.te
index 0ca7cea..a776240 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,5 +1,5 @@
# vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
type mtp_exec, exec_type, file_type;
net_domain(mtp)
diff --git a/public/netd.te b/public/netd.te
index 1694aec..691887f 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,5 +1,5 @@
# network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
+type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;
net_domain(netd)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f0df6a0..bfb8693 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -4,7 +4,6 @@
userdebug_or_eng(`
- typeattribute perfprofd domain_deprecated;
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
diff --git a/public/ppp.te b/public/ppp.te
index 918ef5e..04e17f5 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,5 +1,5 @@
# Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
diff --git a/public/radio.te b/public/radio.te
index f5604fd..87329d9 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,5 +1,5 @@
# phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
+type radio, domain, mlstrustedsubject;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/recovery.te b/public/recovery.te
index f0ac97d..f55dc8a 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -2,7 +2,7 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
diff --git a/public/rild.te b/public/rild.te
index e4b0186..14420df 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,5 +1,5 @@
# rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
+type rild, domain;
hal_server_domain(rild, hal_telephony)
net_domain(rild)
diff --git a/public/runas.te b/public/runas.te
index 046165d..cda02ef 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
allow runas adbd:process sigchld;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 3cb69be..47a2f80 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 9794b0b..91cf44d 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,5 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 8ec667e..4c77e11 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c..7ae7d39 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
allow uncrypt self:capability dac_override;
diff --git a/public/update_engine.te b/public/update_engine.te
index 69ee7c8..b8f0035 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,5 +1,5 @@
# Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
type update_engine_exec, exec_type, file_type;
net_domain(update_engine);
diff --git a/public/vold.te b/public/vold.te
index 20181d1..81ee28c 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,5 +1,5 @@
# volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
type vold_exec, exec_type, file_type;
# Read already opened /cache files.
diff --git a/vendor/tee.te b/vendor/tee.te
index f7c2cb5..348d715 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -1,8 +1,6 @@
##
# trusted execution environment (tee) daemon
#
-typeattribute tee domain_deprecated;
-
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)