Move mtectrl to private
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.
Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ffd148f..da6876e 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -40,7 +40,6 @@
hal_wifi_supplicant_service
locale_service
mdns_service
- mtectrl
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
diff --git a/private/domain.te b/private/domain.te
index b193330..988bd56 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
diff --git a/private/mtectrl.te b/private/mtectrl.te
index a89edda..436dcae 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -1,4 +1,5 @@
# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
type mtectrl_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mtectrl)
diff --git a/public/domain.te b/public/domain.te
index 9b8aefd..0f86409 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -610,26 +610,6 @@
-update_engine
} system_block_device:blk_file { write append };
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
- -mtectrl
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
diff --git a/public/mtectrl.te b/public/mtectrl.te
deleted file mode 100644
index 2fb8a96..0000000
--- a/public/mtectrl.te
+++ /dev/null
@@ -1 +0,0 @@
-type mtectrl, domain, coredomain;