init.te: remove domain_deprecated
auditallows have been in place for a while, and no obvious denials.
Remove domain_deprecated from init.te
While I'm here, clean up the formatting of the lines in
domain_deprecated.te.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 96f32b9..0a39b96 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -2,7 +2,15 @@
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -surfaceflinger
+ -system_server
+ -vold
+ -zygote
+} tmpfs:dir r_dir_perms;
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
@@ -21,7 +29,6 @@
domain_deprecated
-fsck
-healthd
- -init
-installd
-servicemanager
-system_server
@@ -30,8 +37,29 @@
-vold
-zygote
} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow {
+ domain_deprecated
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -healthd
+ -installd
+ -servicemanager
+ -system_server
+ -ueventd
+ -uncrypt
+ -vold
+ -zygote
+} rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
@@ -40,7 +68,6 @@
domain_deprecated
-appdomain
-fingerprintd
- -init
-installd
-keystore
-rild
@@ -53,7 +80,6 @@
auditallow {
domain_deprecated
-appdomain
- -init
-rild
-surfaceflinger
-system_server
@@ -63,25 +89,71 @@
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -system_server -tee } system_data_file:file { getattr read };
-auditallow { domain_deprecated -appdomain -init -system_server -tee } system_data_file:lnk_file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -sdcardd
+ -system_server
+ -tee
+} system_data_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -tee
+} system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:dir { getattr search };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dex2oat
+ -installd
+ -system_server
+} apk_data_file:lnk_file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:dir { open read search ioctl lock };
-auditallow { domain_deprecated -appdomain -init -system_server -vold } cache_file:dir getattr;
-auditallow { domain_deprecated -init -system_server -vold } cache_file:file { getattr read };
-auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:dir { open read search ioctl lock };
+auditallow {
+ domain_deprecated
+ -appdomain
+ -system_server
+ -vold
+} cache_file:dir getattr;
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:file { getattr read };
+auditallow {
+ domain_deprecated
+ -system_server
+ -vold
+} cache_file:lnk_file r_file_perms;
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
@@ -100,24 +172,71 @@
domain_deprecated
-fsck
-fsck_untrusted
- -init
-rild
-sdcardd
-system_server
-update_engine
-vold
} proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow {
+ domain_deprecated
+ -fsck
+ -fsck_untrusted
+ -rild
+ -system_server
+ -vold
+} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -bluetooth
+ -fingerprintd
+ -healthd
+ -netd
+ -rild
+ -system_app
+ -surfaceflinger
+ -system_server
+ -tee
+ -ueventd
+ -vold
+ -wpa
+} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -133,7 +252,6 @@
-dumpstate
-fingerprintd
-healthd
- -init
-inputflinger
-installd
-keystore
@@ -143,10 +261,38 @@
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow {
+ domain_deprecated
+ -appdomain
+ -surfaceflinger
+ -system_server
+ -vold
+} proc_meminfo:file r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -installd
+ -keystore
+ -postinstall_dexopt
+ -runas
+ -servicemanager
+ -system_server
+ -ueventd
+ -zygote
+} selinuxfs:file { open read ioctl lock }; # getattr granted in domain