Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
diff --git a/adbd.te b/adbd.te
index 4f332b3..84d1c2b 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,7 +1,6 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain;
-permissive adbd;
unconfined_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
# this is an entrypoint
diff --git a/bluetooth.te b/bluetooth.te
index 3b73304..72263e3 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,4 @@
# bluetooth subsystem
type bluetooth, domain;
-permissive bluetooth;
app_domain(bluetooth)
unconfined_domain(bluetooth)
diff --git a/clatd.te b/clatd.te
index ebbb79c..dc62fb0 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,6 +1,5 @@
# 464xlat daemon
type clatd, domain;
-permissive clatd;
type clatd_exec, exec_type, file_type;
init_daemon_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 690e695..cdf00de 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,6 +1,5 @@
# debugger interface
type debuggerd, domain;
-permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index 4fe24e7..5004565 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,4 @@
type dhcp, domain;
-permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
type dhcp_system_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index ff81367..a5c647a 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,4 @@
type dnsmasq, domain;
-permissive dnsmasq;
type dnsmasq_exec, exec_type, file_type;
init_daemon_domain(dnsmasq)
diff --git a/drmserver.te b/drmserver.te
index c9fc5f6..8727bc1 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,5 @@
# drmserver - DRM service
type drmserver, domain;
-permissive drmserver;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
diff --git a/gpsd.te b/gpsd.te
index 6d6fbd7..403a6b7 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,6 +1,5 @@
# gpsd - GPS daemon
type gpsd, domain;
-permissive gpsd;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 15b73ff..40e3150 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,5 +1,4 @@
type hci_attach, domain;
-permissive hci_attach;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index 52c466e..2241f23 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,7 +1,6 @@
# healthd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type healthd, domain;
-permissive healthd;
type healthd_exec, exec_type, file_type;
init_daemon_domain(healthd)
diff --git a/hostapd.te b/hostapd.te
index f13b2e0..79db3c3 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,4 @@
type hostapd, domain;
-permissive hostapd;
type hostapd_exec, exec_type, file_type;
init_daemon_domain(hostapd)
diff --git a/init_shell.te b/init_shell.te
index 900826e..696a6dc 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,5 +1,4 @@
# Restricted domain for shell processes spawned by init
type init_shell, domain;
-permissive init_shell;
domain_auto_trans(init, shell_exec, init_shell)
unconfined_domain(init_shell)
diff --git a/keystore.te b/keystore.te
index d438cfa..a7f4b4d 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,5 +1,4 @@
type keystore, domain;
-permissive keystore;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/media_app.te b/media_app.te
index f0f987f..1fe06dd 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,7 +3,6 @@
###
type media_app, domain;
-permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
diff --git a/mediaserver.te b/mediaserver.te
index a8e78d2..1b94d86 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,6 +1,5 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
-permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
net_domain(mediaserver)
diff --git a/mtp.te b/mtp.te
index eb89326..48a5525 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,6 +1,5 @@
# vpn tunneling protocol manager
type mtp, domain;
-permissive mtp;
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
diff --git a/nfc.te b/nfc.te
index f5432f1..31b9144 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,4 @@
# nfc subsystem
type nfc, domain;
-permissive nfc;
app_domain(nfc)
unconfined_domain(nfc)
diff --git a/ping.te b/ping.te
index 19f3a47..37b9b3c 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,4 @@
type ping, domain;
-permissive ping;
type ping_exec, exec_type, file_type;
domain_auto_trans(shell, ping_exec, ping)
unconfined_domain(ping)
diff --git a/platform_app.te b/platform_app.te
index 38d8fcd..042d495 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,6 @@
###
type platform_app, domain;
-permissive platform_app;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
diff --git a/ppp.te b/ppp.te
index 3387cde..bc1bafc 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,6 +1,5 @@
# Point to Point Protocol daemon
type ppp, domain;
-permissive ppp;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index 1266e1f..caf7a09 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,6 +1,5 @@
# qemu support daemon
type qemud, domain;
-permissive qemud;
type qemud_exec, exec_type, file_type;
init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 2d3afb8..12955f2 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,6 +1,5 @@
# IKE key management daemon
type racoon, domain;
-permissive racoon;
type racoon_exec, exec_type, file_type;
unconfined_domain(racoon)
diff --git a/radio.te b/radio.te
index 6d569b0..feea2cc 100644
--- a/radio.te
+++ b/radio.te
@@ -1,6 +1,5 @@
# phone subsystem
type radio, domain;
-permissive radio;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/release_app.te b/release_app.te
index 285f483..e7e4b35 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,7 +3,6 @@
###
type release_app, domain;
-permissive release_app;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
diff --git a/rild.te b/rild.te
index a93b3ac..9aba8a2 100644
--- a/rild.te
+++ b/rild.te
@@ -1,6 +1,5 @@
# rild - radio interface layer daemon
type rild, domain;
-permissive rild;
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index ec5e1c4..6446a9e 100644
--- a/runas.te
+++ b/runas.te
@@ -1,6 +1,5 @@
type runas, domain;
type runas_exec, exec_type, file_type;
-permissive runas;
unconfined_domain(runas)
# ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index 32e686c..25d1246 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,5 +1,4 @@
type sdcardd, domain;
-permissive sdcardd;
type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index 80ed9df..10b6aad 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,6 +1,5 @@
# servicemanager - the Binder context manager
type servicemanager, domain;
-permissive servicemanager;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/shared_app.te b/shared_app.te
index b66fbfb..8475e0c 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,7 +3,6 @@
###
type shared_app, domain;
-permissive shared_app;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
diff --git a/su.te b/su.te
index c1f002f..b68536c 100644
--- a/su.te
+++ b/su.te
@@ -1,5 +1,4 @@
type su, domain;
-permissive su;
type su_exec, exec_type, file_type;
domain_auto_trans(shell, su_exec, su)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ba66b83..aa63e6b 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,6 +1,5 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
-permissive surfaceflinger;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 61a18db..d274ac1 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,6 +4,5 @@
# server.
#
type system_app, domain;
-permissive system_app;
app_domain(system_app)
unconfined_domain(system_app)
diff --git a/system_server.te b/system_server.te
index fd2d130..2e86b6a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -3,7 +3,6 @@
# Most of the framework services run in this process.
#
type system_server, domain;
-permissive system_server;
unconfined_domain(system_server);
relabelto_domain(system_server);
diff --git a/tee.te b/tee.te
index 2fab282..1aae06e 100644
--- a/tee.te
+++ b/tee.te
@@ -6,6 +6,5 @@
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
-permissive tee;
unconfined_domain(tee)
init_daemon_domain(tee)
diff --git a/watchdogd.te b/watchdogd.te
index 3bf9aae..9af871c 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
-permissive watchdogd;
unconfined_domain(watchdogd)
allow watchdogd rootfs:file entrypoint;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index c924214..5ef3573 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,6 +1,5 @@
# wpa - wpa supplicant or equivalent
type wpa, domain;
-permissive wpa;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)