Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
diff --git a/Android.mk b/Android.mk
index e288356..976d61b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -158,6 +158,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +189,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,6 +245,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -342,6 +345,7 @@
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
diff --git a/private/adbd.te b/private/adbd.te
index 1865b2a..9b84603 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -1,5 +1,6 @@
### ADB daemon
+typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/atrace.te b/private/atrace.te
index 9c4f342..94d8483 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
- type atrace, domain, domain_deprecated;
+ type atrace, domain, coredomain, domain_deprecated;
init_daemon_domain(atrace)
diff --git a/private/audioserver.te b/private/audioserver.te
index 95a7521..a6253f2 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,5 +1,7 @@
# audioserver - audio services daemon
+typeattribute audioserver coredomain;
+
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/blkid.te b/private/blkid.te
index 9c4cfcc..090912b 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -1,5 +1,7 @@
# blkid called from vold
+typeattribute blkid coredomain;
+
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
index ae18e68..1256771 100644
--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@@ -1,5 +1,7 @@
# blkid for untrusted block devices
+typeattribute blkid_untrusted coredomain;
+
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 9c7182e..628f971 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
+typeattribute bluetooth coredomain;
typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
diff --git a/private/bootanim.te b/private/bootanim.te
index 94fbc1f..8c9f6c7 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
index caa82fd..806144c 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
init_daemon_domain(bootstat)
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 4fa77a5..012eb20 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1 +1,3 @@
+typeattribute bufferhubd coredomain;
+
init_daemon_domain(bufferhubd)
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b34d746..c16c132 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
init_daemon_domain(cameraserver)
diff --git a/private/charger.te b/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/private/clatd.te b/private/clatd.te
new file mode 100644
index 0000000..5ba0fc5
--- /dev/null
+++ b/private/clatd.te
@@ -0,0 +1 @@
+typeattribute clatd coredomain;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 02c13b3..34f0d66 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 0000000..fb73f08
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 0000000..fd45484
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 2239d2a..db81d0d 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,5 +1,5 @@
# dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
diff --git a/private/dhcp.te b/private/dhcp.te
index 6745189..b2f8ac7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/private/drmserver.te b/private/drmserver.te
index cc96afd..45663bb 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute drmserver coredomain;
+
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 62628dd..cbdfbc6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dumpstate coredomain;
+
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b0515a..9289027 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -11,6 +11,8 @@
###
### PackageManager flags an app as ephemeral at install time.
+typeattribute ephemeral_app coredomain;
+
net_domain(ephemeral_app)
app_domain(ephemeral_app)
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index a733cab..eb73ef8 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fingerprintd coredomain;
+
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index f3f4c52..3a36329 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fsck coredomain;
+
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
new file mode 100644
index 0000000..9a57bf0
--- /dev/null
+++ b/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index d050c2e..5e4d0a2 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute gatekeeperd coredomain;
+
init_daemon_domain(gatekeeperd)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index ff407d5..49ef178 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,4 +1,4 @@
-type hal_allocator_default, domain;
+type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
type hal_allocator_default_exec, exec_type, file_type;
diff --git a/private/healthd.te b/private/healthd.te
index fc13e28..0693a3a 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute healthd coredomain;
+
init_daemon_domain(healthd)
# Allow callback to storaged batteryproperties listener
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e15d13d..627b93f 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute hwservicemanager coredomain;
+
init_daemon_domain(hwservicemanager)
diff --git a/private/idmap.te b/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/private/incident.te b/private/incident.te
index 084bd5d..b910dde 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,3 +1,5 @@
+typeattribute incident coredomain;
+
type incident_exec, exec_type, file_type;
# switch to incident domain for incident command
diff --git a/private/incidentd.te b/private/incidentd.te
index 49830f4..efd23bd 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,3 +1,5 @@
+typeattribute incidentd coredomain;
+
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
diff --git a/private/init.te b/private/init.te
index f491d00..fb4335a 100644
--- a/private/init.te
+++ b/private/init.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute init coredomain;
+
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
diff --git a/private/inputflinger.te b/private/inputflinger.te
index dae01f8..9696b49 100644
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute inputflinger coredomain;
+
init_daemon_domain(inputflinger)
diff --git a/private/install_recovery.te b/private/install_recovery.te
index b9b402b..b79d683 100644
--- a/private/install_recovery.te
+++ b/private/install_recovery.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute install_recovery coredomain;
+
init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
index e18d841..f74843d 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute installd coredomain;
+
init_daemon_domain(installd)
# Run dex2oat in its own sandbox.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f98b1d1..418a322 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -6,6 +6,8 @@
### and AID_ISOLATED_END (99999).
###
+typeattribute isolated_app coredomain;
+
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
diff --git a/private/kernel.te b/private/kernel.te
index 1c2223e..a4e6ebe 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute kernel coredomain;
+
domain_auto_trans(kernel, init_exec, init)
diff --git a/private/keystore.te b/private/keystore.te
index 70ad3b2..6aa8884 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute keystore coredomain;
+
init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
index a5d0d77..a07ce87 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
index aea6654..4338e40 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
diff --git a/private/logpersist.te b/private/logpersist.te
index dbace69..70e3198 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -1,3 +1,5 @@
+typeattribute logpersist coredomain;
+
# android debug log storage in logpersist domains (eng and userdebug only)
userdebug_or_eng(`
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 2fefc32..96259e2 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,5 +1,6 @@
# mdns daemon
+typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
diff --git a/private/mediacodec.te b/private/mediacodec.te
index 7f88433..ff290bc 100644
--- a/private/mediacodec.te
+++ b/private/mediacodec.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index 5a8e744..def8759 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 8596c14..c1a8521 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
init_daemon_domain(mediaextractor)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 11f17d2..f8b2fa5 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
init_daemon_domain(mediametrics)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 74b11b0..4b510a5 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
init_daemon_domain(mediaserver)
diff --git a/private/modprobe.te b/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/private/mtp.te b/private/mtp.te
index 69e1353..732e111 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index cc87dcb..f501f25 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
diff --git a/private/nfc.te b/private/nfc.te
index 4d1f2ce..25ad702 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1,5 @@
# nfc subsystem
+typeattribute nfc coredomain;
app_domain(nfc)
net_domain(nfc)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8e54a79..1f69931 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 519c342..98b93d4 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
diff --git a/private/performanced.te b/private/performanced.te
index 9544f66..792826e 100644
--- a/private/performanced.te
+++ b/private/performanced.te
@@ -1 +1,3 @@
+typeattribute performanced coredomain;
+
init_daemon_domain(performanced)
diff --git a/private/platform_app.te b/private/platform_app.te
index 6b18d8f..984bb7b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -2,6 +2,7 @@
### Apps signed with the platform key.
###
+typeattribute platform_app coredomain;
typeattribute platform_app domain_deprecated;
app_domain(platform_app)
diff --git a/private/postinstall.te b/private/postinstall.te
index 47bf320..363e362 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 7596465..ff5fe87 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
index befc20e..968b221 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/private/priv_app.te b/private/priv_app.te
index 83a4b3f..38ce673 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -2,6 +2,7 @@
### A domain for further sandboxing privileged apps.
###
+typeattribute priv_app coredomain;
app_domain(priv_app)
# Access the network.
diff --git a/private/profman.te b/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/private/racoon.te b/private/racoon.te
index 3eeb815..42ea7c9 100644
--- a/private/racoon.te
+++ b/private/racoon.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute racoon coredomain;
+
init_daemon_domain(racoon)
diff --git a/private/radio.te b/private/radio.te
index 95e7f0a..b4f5390 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,3 +1,5 @@
+typeattribute radio coredomain;
+
app_domain(radio)
read_runtime_log_tags(radio)
diff --git a/private/recovery.te b/private/recovery.te
new file mode 100644
index 0000000..2a7fdc7
--- /dev/null
+++ b/private/recovery.te
@@ -0,0 +1 @@
+typeattribute recovery coredomain;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 3c37d2b..1fdd758 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_persist coredomain;
+
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index d1cfbfe..327098d 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_refresh coredomain;
+
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
diff --git a/private/runas.te b/private/runas.te
index d791501..ef31aac 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute runas coredomain;
+
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 55915fe..126d643 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute sdcardd coredomain;
+
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/sensord.te b/private/sensord.te
index ef03b09..bdeded6 100644
--- a/private/sensord.te
+++ b/private/sensord.te
@@ -1 +1,3 @@
+typeattribute sensord coredomain;
+
init_daemon_domain(sensord)
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6f382a7..9f675a2 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute servicemanager coredomain;
+
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
diff --git a/private/sgdisk.te b/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index b1ba0ff..02f7206 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,3 +1,5 @@
+typeattribute shared_relro coredomain;
+
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 1e77964..aab0a15 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,5 @@
+typeattribute shell coredomain;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
diff --git a/private/slideshow.te b/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/private/storaged.te b/private/storaged.te
index 4796675..3dbabf6 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,5 +1,5 @@
# storaged daemon
-type storaged, domain, mlstrustedsubject;
+type storaged, domain, coredomain, mlstrustedsubject;
type storaged_exec, exec_type, file_type;
init_daemon_domain(storaged)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3808c83..f143580 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -1,5 +1,7 @@
# surfaceflinger - display compositor service
+typeattribute surfaceflinger coredomain;
+
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/private/system_app.te b/private/system_app.te
index 7539da2..12ba609 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,6 +4,7 @@
### server.
###
+typeattribute system_app coredomain;
typeattribute system_app domain_deprecated;
app_domain(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index d1f9bc3..da1c625 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -3,6 +3,7 @@
# Most of the framework services run in this process.
#
+typeattribute system_server coredomain;
typeattribute system_server domain_deprecated;
typeattribute system_server mlstrustedsubject;
diff --git a/private/tee.te b/private/tee.te
index 17b276f..99f501e 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tee coredomain;
+
init_daemon_domain(tee)
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 73fdb1b..305f9d0 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tombstoned coredomain;
+
init_daemon_domain(tombstoned)
diff --git a/private/toolbox.te b/private/toolbox.te
index fd43d5e..a2b958d 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute toolbox coredomain;
+
init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
index ee67bb2..502735c 100644
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tzdatacheck coredomain;
+
init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
index 5034db7..1bd6773 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ueventd coredomain;
+
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e2b919c..e4e9224 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute uncrypt coredomain;
+
init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 2f4a1a4..68c1a41 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -17,6 +17,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app coredomain;
+
app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index e576d27..3fa79ef 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -19,6 +19,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app_25 coredomain;
+
app_domain(untrusted_app_25)
untrusted_app_domain(untrusted_app_25)
net_domain(untrusted_app_25)
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index e511709..ef62841 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -1,6 +1,9 @@
###
### Untrusted v2 sandbox apps.
###
+
+typeattribute untrusted_v2_app coredomain;
+
app_domain(untrusted_v2_app)
net_domain(untrusted_v2_app)
bluetooth_domain(untrusted_v2_app)
diff --git a/private/update_engine.te b/private/update_engine.te
index 01199eb..5af7db6 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_engine coredomain;
+
init_daemon_domain(update_engine);
diff --git a/private/update_verifier.te b/private/update_verifier.te
index c5f110b..1b934d9 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_verifier coredomain;
+
init_daemon_domain(update_verifier)
diff --git a/private/vdc.te b/private/vdc.te
index 877e913..bc7409e 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vdc coredomain;
+
init_daemon_domain(vdc)
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
index ced556e..e735172 100644
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@@ -1 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
init_daemon_domain(virtual_touchpad)
diff --git a/private/vold.te b/private/vold.te
index b2495f6..a6d1001 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vold coredomain;
+
init_daemon_domain(vold)
# Switch to more restrictive domains when executing common tools
diff --git a/private/watchdogd.te b/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index aad66bf..b2a1951 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -1,6 +1,8 @@
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
+typeattribute webview_zygote coredomain;
+
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
diff --git a/private/wificond.te b/private/wificond.te
index 2e89975..5476e33 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute wificond coredomain;
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index f0ac0b2..e9ec672 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,4 +1,5 @@
# zygote
+typeattribute zygote coredomain;
typeattribute zygote domain_deprecated;
typeattribute zygote mlstrustedsubject;
diff --git a/public/attributes b/public/attributes
index b9360a6..00035ab 100644
--- a/public/attributes
+++ b/public/attributes
@@ -115,6 +115,13 @@
# recovery for A/B devices.
attribute update_engine_common;
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 5f7da0b..8a42336 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,10 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
@@ -420,6 +423,24 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/te_macros b/public/te_macros
index aeb2916..52f2e1b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -395,6 +395,18 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 3bde9ec..5e49605 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -7,3 +7,6 @@
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
+typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 9357042..dff18ce 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@
allow vndservicemanager self:binder set_context_mgr;
# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init }:binder transfer;
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;