Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

commit: d22987b4daf02a8dae5bb10119d9ec5ec9f637cf [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Tue Nov 03 09:54:39 2015 -0800
committer: Jeffrey Vander Stoep <jeffv@google.com> Tue Nov 03 23:11:11 2015 +0000
tree: 0087050009b1f951d443836289c734fe5b31c02b
parent: e25588fba8a92da40c69a87658284874f3ea0b5b [diff] [blame]
diff --git a/su.te b/su.te
index 6c4c115..38e3b0d 100644
--- a/su.te
+++ b/su.te

@@ -5,7 +5,7 @@
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, mlstrustedsubject;
+  type su, domain, domain_deprecated, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
 
   # Allow dumpstate to call su on userdebug / eng builds to collect
commit	d22987b4daf02a8dae5bb10119d9ec5ec9f637cf	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Tue Nov 03 09:54:39 2015 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Tue Nov 03 23:11:11 2015 +0000
tree	0087050009b1f951d443836289c734fe5b31c02b
parent	e25588fba8a92da40c69a87658284874f3ea0b5b [diff] [blame]