Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
diff --git a/adbd.te b/adbd.te
index a35d570..1344fdb 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,6 +1,6 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
+type adbd, domain, domain_deprecated, mlstrustedsubject;
userdebug_or_eng(`
allow adbd self:process setcurrent;
diff --git a/atrace.te b/atrace.te
index 61a5875..890a026 100644
--- a/atrace.te
+++ b/atrace.te
@@ -3,7 +3,7 @@
userdebug_or_eng(`
- type atrace, domain;
+ type atrace, domain, domain_deprecated;
init_daemon_domain(atrace)
# boottrace services uses /data/misc/boottrace/categories
diff --git a/attributes b/attributes
index e42edd6..56655c1 100644
--- a/attributes
+++ b/attributes
@@ -8,6 +8,16 @@
# All types used for processes.
attribute domain;
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
+
# All types used for filesystems.
attribute fs_type;
diff --git a/blkid.te b/blkid.te
index 15b6a85..23ce3a9 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
# blkid called from vold
-type blkid, domain;
+type blkid, domain, domain_deprecated;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index df8e447..7e53de7 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain;
+type blkid_untrusted, domain, domain_deprecated;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/bluetooth.te b/bluetooth.te
index 4f240fb..c05de05 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,5 @@
# bluetooth subsystem
-type bluetooth, domain;
+type bluetooth, domain, domain_deprecated;
app_domain(bluetooth)
net_domain(bluetooth)
diff --git a/bootanim.te b/bootanim.te
index dd1e57a..9e04c04 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -1,5 +1,5 @@
# bootanimation oneshot service
-type bootanim, domain;
+type bootanim, domain, domain_deprecated;
type bootanim_exec, exec_type, file_type;
init_daemon_domain(bootanim)
diff --git a/clatd.te b/clatd.te
index 21c9ca9..3cda6a2 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,5 +1,5 @@
# 464xlat daemon
-type clatd, domain;
+type clatd, domain, domain_deprecated;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 4f84813..0e3cf68 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,5 @@
# debugger interface
-type debuggerd, domain;
+type debuggerd, domain, domain_deprecated;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
diff --git a/dex2oat.te b/dex2oat.te
index 0eb3881..83a7c8a 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
diff --git a/dhcp.te b/dhcp.te
index 078e512..548a37c 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain;
+type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index d802a35..e5e4198 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,5 @@
# DNS, DHCP services
-type dnsmasq, domain;
+type dnsmasq, domain, domain_deprecated;
type dnsmasq_exec, exec_type, file_type;
net_domain(dnsmasq)
diff --git a/domain_deprecated.te b/domain_deprecated.te
new file mode 100644
index 0000000..1af20b8
--- /dev/null
+++ b/domain_deprecated.te
@@ -0,0 +1 @@
+# rules removed from the domain attribute
diff --git a/drmserver.te b/drmserver.te
index d76d3be..3b654cc 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,5 @@
# drmserver - DRM service
-type drmserver, domain;
+type drmserver, domain, domain_deprecated;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 963f8cd..19eacfd 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, mlstrustedsubject;
+type dumpstate, domain, domain_deprecated, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
init_daemon_domain(dumpstate)
diff --git a/fingerprintd.te b/fingerprintd.te
index 4ceb68d..1c0ab1c 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain;
+type fingerprintd, domain, domain_deprecated;
type fingerprintd_exec, exec_type, file_type;
# fingerprintd
diff --git a/fsck.te b/fsck.te
index 8c1aaf3..e90a49e 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain;
+type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 67c67b7..4f01db2 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
+type fsck_untrusted, domain, domain_deprecated;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/gatekeeperd.te b/gatekeeperd.te
index ca540c6..81d7fdf 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -1,4 +1,4 @@
-type gatekeeperd, domain;
+type gatekeeperd, domain, domain_deprecated;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
diff --git a/gpsd.te b/gpsd.te
index 4b22223..07e0feb 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,5 @@
# gpsd - GPS daemon
-type gpsd, domain;
+type gpsd, domain, domain_deprecated;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953..543cae1 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,4 @@
-type hci_attach, domain;
+type hci_attach, domain, domain_deprecated;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index cd5429b..48be64d 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,6 +1,6 @@
# healthd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type healthd, domain;
+type healthd, domain, domain_deprecated;
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
diff --git a/hostapd.te b/hostapd.te
index 11145de..858c286 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,5 @@
# userspace wifi access points
-type hostapd, domain;
+type hostapd, domain, domain_deprecated;
type hostapd_exec, exec_type, file_type;
net_domain(hostapd)
diff --git a/idmap.te b/idmap.te
index 1ab497e..c1b4d0f 100644
--- a/idmap.te
+++ b/idmap.te
@@ -1,5 +1,5 @@
# idmap, when executed by installd
-type idmap, domain;
+type idmap, domain, domain_deprecated;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
diff --git a/init.te b/init.te
index 1f33a97..e6c7825 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,5 @@
# init is its own domain.
-type init, domain, mlstrustedsubject;
+type init, domain, domain_deprecated, mlstrustedsubject;
tmpfs_domain(init)
# The init domain is entered by execing init.
diff --git a/inputflinger.te b/inputflinger.te
index 11a60a6..324f3f6 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -1,5 +1,5 @@
# inputflinger
-type inputflinger, domain;
+type inputflinger, domain, domain_deprecated;
type inputflinger_exec, exec_type, file_type;
init_daemon_domain(inputflinger)
diff --git a/install_recovery.te b/install_recovery.te
index 9bef3bb..b11ff74 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -1,5 +1,5 @@
# service flash_recovery in init.rc
-type install_recovery, domain;
+type install_recovery, domain, domain_deprecated;
type install_recovery_exec, exec_type, file_type;
init_daemon_domain(install_recovery)
diff --git a/installd.te b/installd.te
index 3b4d56a..a8cb8d4 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,5 @@
# installer daemon
-type installd, domain;
+type installd, domain, domain_deprecated;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
diff --git a/isolated_app.te b/isolated_app.te
index f405273..2cf5578 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -9,7 +9,7 @@
### additional following rules:
###
-type isolated_app, domain;
+type isolated_app, domain, domain_deprecated;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
diff --git a/kernel.te b/kernel.te
index 31da2af..ed6b7ba 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,5 @@
# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
+type kernel, domain, domain_deprecated, mlstrustedsubject;
allow kernel self:capability sys_nice;
diff --git a/keystore.te b/keystore.te
index 83a0e85..e2338db 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, domain_deprecated;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/lmkd.te b/lmkd.te
index 3243ddb..0d641ca 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -1,5 +1,5 @@
# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
+type lmkd, domain, domain_deprecated, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
init_daemon_domain(lmkd)
diff --git a/logd.te b/logd.te
index 56d0d2a..ab09bf5 100644
--- a/logd.te
+++ b/logd.te
@@ -1,5 +1,5 @@
# android user-space log manager
-type logd, domain, mlstrustedsubject;
+type logd, domain, domain_deprecated, mlstrustedsubject;
type logd_exec, exec_type, file_type;
init_daemon_domain(logd)
diff --git a/mdnsd.te b/mdnsd.te
index e5fe1e2..43ef267 100644
--- a/mdnsd.te
+++ b/mdnsd.te
@@ -1,5 +1,5 @@
# mdns daemon
-type mdnsd, domain, mlstrustedsubject;
+type mdnsd, domain, domain_deprecated, mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
init_daemon_domain(mdnsd)
diff --git a/mediaserver.te b/mediaserver.te
index 7c180cb..e1c9a54 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,5 @@
# mediaserver - multimedia daemon
-type mediaserver, domain;
+type mediaserver, domain, domain_deprecated;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index dd76674..9677abd 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,5 @@
# vpn tunneling protocol manager
-type mtp, domain;
+type mtp, domain, domain_deprecated;
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index 81d76c3..564e91e 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,5 @@
# network manager
-type netd, domain, mlstrustedsubject;
+type netd, domain, domain_deprecated, mlstrustedsubject;
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 71841be..85572e2 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-type nfc, domain;
+type nfc, domain, domain_deprecated;
app_domain(nfc)
net_domain(nfc)
binder_service(nfc)
diff --git a/perfprofd.te b/perfprofd.te
index bce990d..f76d991 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -3,7 +3,7 @@
userdebug_or_eng(`
- type perfprofd, domain, mlstrustedsubject;
+ type perfprofd, domain, domain_deprecated, mlstrustedsubject;
init_daemon_domain(perfprofd)
diff --git a/platform_app.te b/platform_app.te
index 2afe4d8..117b16f 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -2,7 +2,7 @@
### Apps signed with the platform key.
###
-type platform_app, domain;
+type platform_app, domain, domain_deprecated;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
diff --git a/ppp.te b/ppp.te
index c9b27af..58b640a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,5 @@
# Point to Point Protocol daemon
-type ppp, domain;
+type ppp, domain, domain_deprecated;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/priv_app.te b/priv_app.te
index 279a933..a92b6eb 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing privileged apps.
###
-type priv_app, domain;
+type priv_app, domain, domain_deprecated;
app_domain(priv_app)
# Access the network.
net_domain(priv_app)
diff --git a/racoon.te b/racoon.te
index 6447a3d..1a2e546 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,5 @@
# IKE key management daemon
-type racoon, domain;
+type racoon, domain, domain_deprecated;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a01a113..448fdb5 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,5 @@
# phone subsystem
-type radio, domain, mlstrustedsubject;
+type radio, domain, domain_deprecated, mlstrustedsubject;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/recovery.te b/recovery.te
index d5f6c6b..b4eb285 100644
--- a/recovery.te
+++ b/recovery.te
@@ -2,7 +2,7 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain;
+type recovery, domain, domain_deprecated;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
diff --git a/rild.te b/rild.te
index ea0e4ed..bcf31d6 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,5 @@
# rild - radio interface layer daemon
-type rild, domain;
+type rild, domain, domain_deprecated;
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index e51515d..4fa686a 100644
--- a/runas.te
+++ b/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, mlstrustedsubject;
+type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
# ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index a664820..056e9f8 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain;
+type sdcardd, domain, domain_deprecated;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/servicemanager.te b/servicemanager.te
index 9947aa7..84605d1 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,5 @@
# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
+type servicemanager, domain, domain_deprecated, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/sgdisk.te b/sgdisk.te
index 8a689a1..b8d6b3f 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain;
+type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
diff --git a/shared_relro.te b/shared_relro.te
index 6a1dfd4..30af14a 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -1,5 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
+type shared_relro, domain, domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/shell.te b/shell.te
index 32ca20d..3d2bb5b 100644
--- a/shell.te
+++ b/shell.te
@@ -1,5 +1,5 @@
# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
+type shell, domain, domain_deprecated, mlstrustedsubject;
type shell_exec, exec_type, file_type;
# Create and use network sockets.
diff --git a/slideshow.te b/slideshow.te
index 86d4bff..3165a65 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -1,6 +1,6 @@
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
+type slideshow, domain, domain_deprecated;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
diff --git a/su.te b/su.te
index 6c4c115..38e3b0d 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
+ type su, domain, domain_deprecated, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 26a4e48..5d1199d 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,5 @@
# surfaceflinger - display compositor service
-type surfaceflinger, domain;
+type surfaceflinger, domain, domain_deprecated;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 08e3f5c..de9146c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -3,7 +3,7 @@
# com.android.settings. These are not as privileged as the system
# server.
#
-type system_app, domain;
+type system_app, domain, domain_deprecated;
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
diff --git a/system_server.te b/system_server.te
index b176243..93849e4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -2,7 +2,7 @@
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
-type system_server, domain, mlstrustedsubject;
+type system_server, domain, domain_deprecated, mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
diff --git a/tee.te b/tee.te
index 7cf6ecd..ab625de 100644
--- a/tee.te
+++ b/tee.te
@@ -1,7 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain;
+type tee, domain, domain_deprecated;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
diff --git a/toolbox.te b/toolbox.te
index 4341102..d2f969f 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -1,7 +1,7 @@
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
+type toolbox, domain, domain_deprecated;
type toolbox_exec, exec_type, file_type;
init_daemon_domain(toolbox)
diff --git a/tzdatacheck.te b/tzdatacheck.te
index a95dc0d..f61cb47 100644
--- a/tzdatacheck.te
+++ b/tzdatacheck.te
@@ -1,5 +1,5 @@
# The tzdatacheck command run by init.
-type tzdatacheck, domain;
+type tzdatacheck, domain, domain_deprecated;
type tzdatacheck_exec, exec_type, file_type;
init_daemon_domain(tzdatacheck)
diff --git a/ueventd.te b/ueventd.te
index f4884d7..04a18a3 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
+type ueventd, domain, domain_deprecated;
tmpfs_domain(ueventd)
# TODO: why is ueventd using __kmsg__ when it should just create
diff --git a/uncrypt.te b/uncrypt.te
index 93f5a27..7608538 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain, mlstrustedsubject;
+type uncrypt, domain, domain_deprecated, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
diff --git a/untrusted_app.te b/untrusted_app.te
index 0ac3cc9..0e71546 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -20,7 +20,7 @@
### additional following rules:
###
-type untrusted_app, domain;
+type untrusted_app, domain, domain_deprecated;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
diff --git a/update_engine.te b/update_engine.te
index 88b0b72..839d6b7 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,5 +1,5 @@
# Domain for update_engine daemon.
-type update_engine, domain;
+type update_engine, domain, domain_deprecated;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
diff --git a/vdc.te b/vdc.te
index 8b6a93a..5478965 100644
--- a/vdc.te
+++ b/vdc.te
@@ -5,7 +5,7 @@
# We also transition into this domain from dumpstate, when
# collecting bug reports.
-type vdc, domain;
+type vdc, domain, domain_deprecated;
type vdc_exec, exec_type, file_type;
init_daemon_domain(vdc)
diff --git a/vold.te b/vold.te
index 5ecb503..c8952af 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,5 @@
# volume manager
-type vold, domain;
+type vold, domain, domain_deprecated;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 00292a9..4077386 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,4 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
+type watchdogd, domain, domain_deprecated;
allow watchdogd watchdog_device:chr_file rw_file_perms;
allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/wpa.te b/wpa.te
index d6fae63..a562fb7 100644
--- a/wpa.te
+++ b/wpa.te
@@ -1,5 +1,5 @@
# wpa - wpa supplicant or equivalent
-type wpa, domain;
+type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 139df85..d7a8a99 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,5 @@
# zygote
-type zygote, domain;
+type zygote, domain, domain_deprecated;
type zygote_exec, exec_type, file_type;
init_daemon_domain(zygote)