Clarify the expectations for the unconfined template.
In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.
Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f
diff --git a/te_macros b/te_macros
index 9f885bf..c7c93aa 100644
--- a/te_macros
+++ b/te_macros
@@ -72,7 +72,9 @@
#####################################
# unconfined_domain(domain)
-# Allow the specified domain to do anything.
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
#
define(`unconfined_domain', `
typeattribute $1 mlstrustedsubject;
diff --git a/unconfined.te b/unconfined.te
index 9b1b992..80f88b7 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,3 +1,21 @@
+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~load_policy;
allow unconfineddomain kernel:system *;