Delete unconfined domain
No longer used. :-)
Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
diff --git a/Android.mk b/Android.mk
index 8bf461d..0c44f1e 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,22 +2,6 @@
include $(CLEAR_VARS)
-# Force permissive domains to be unconfined+enforcing?
-#
-# During development, this should be set to false.
-# Permissive means permissive.
-#
-# When we're close to a release and SELinux new policy development
-# is frozen, we should flip this to true. This forces any currently
-# permissive domains into unconfined+enforcing.
-#
-FORCE_PERMISSIVE_TO_UNCONFINED ?= false
-
-ifeq ($(TARGET_BUILD_VARIANT),user)
- # User builds are always forced unconfined+enforcing
- FORCE_PERMISSIVE_TO_UNCONFINED := true
-endif
-
# SELinux policy version.
# Must be <= /selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
@@ -114,7 +98,6 @@
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -142,7 +125,6 @@
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
- -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
-D target_recovery=true \
-s $^ > $@
@@ -171,7 +153,6 @@
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \
- -D force_permissive_to_unconfined=true \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
diff --git a/attributes b/attributes
index 3f632de..af9af8e 100644
--- a/attributes
+++ b/attributes
@@ -56,9 +56,6 @@
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
-# Domains that are allowed all permissions ("unconfined").
-attribute unconfineddomain;
-
# All domains used for apps.
attribute appdomain;
diff --git a/te_macros b/te_macros
index 1efe15f..de3f9f5 100644
--- a/te_macros
+++ b/te_macros
@@ -71,17 +71,6 @@
')
#####################################
-# unconfined_domain(domain)
-# Allow the specified domain to perform more privileged operations
-# than would be typically allowed. Please see the comments at the
-# top of unconfined.te.
-#
-define(`unconfined_domain', `
-typeattribute $1 mlstrustedsubject;
-typeattribute $1 unconfineddomain;
-')
-
-#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
@@ -308,17 +297,6 @@
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
-# permissive_or_unconfined
-# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
-# and "unconfined($1)" otherwise.
-#
-# This is used for experimental domains, where we want to ensure
-# the domain is unconfined+enforcing once new SELinux policy development
-# has ceased.
-#
-define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
-
-#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
diff --git a/unconfined.te b/unconfined.te
deleted file mode 100644
index 559ed59..0000000
--- a/unconfined.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#######################################################
-#
-# This is the unconfined template. This template is the base policy
-# which is used by daemons and other privileged components of
-# Android.
-#
-# Historically, this template was called "unconfined" because it
-# allowed the domain to do anything it wanted. Over time,
-# this has changed, and will continue to change in the future.
-# The rules in this file will be removed when no remaining
-# unconfined domains require it, or when the rules contradict
-# Android security best practices. Domains which need rules not
-# provided by the unconfined template should add them directly to
-# the relevant policy.
-#
-# The use of this template is discouraged.
-######################################################
-
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
-allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:fd *;
-allow unconfineddomain domain:dir r_dir_perms;
-allow unconfineddomain domain:lnk_file r_file_perms;
-allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
-allow unconfineddomain domain:{
- socket
- netlink_socket
- key_socket
- unix_stream_socket
- unix_dgram_socket
- netlink_route_socket
- netlink_firewall_socket
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_selinux_socket
- netlink_audit_socket
- netlink_ip6fw_socket
- netlink_dnrt_socket
- netlink_kobject_uevent_socket
- tun_socket
-} *;
-allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain {
- file_type
- -keystore_data_file
- -property_data_file
- -system_file
- -exec_type
- -security_file
- -shell_data_file
- -app_data_file
- -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute };
-allow unconfineddomain exec_type:lnk_file r_file_perms;
-allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute };
-allow unconfineddomain system_file:lnk_file r_file_perms;
-allow unconfineddomain {
- fs_type
- -usermodehelper
- -proc_security
- -contextmount_type
- -rootfs
- -sdcard_type
- -device
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {
- file_type
- -keystore_data_file
- -property_data_file
- -system_file
- -exec_type
- -security_file
- -shell_data_file
- -app_data_file
- -unlabeled
- -dalvikcache_data_file
-}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain rootfs:file execute;
-allow unconfineddomain contextmount_type:dir r_dir_perms;
-allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
-allow unconfineddomain node_type:node *;
-allow unconfineddomain netif_type:netif *;
-allow unconfineddomain domain:peer recv;
-allow unconfineddomain { domain -init }:binder { call transfer };