Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
diff --git a/app.te b/app.te
index c91f566..00ec450 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,7 @@
# Apps signed with the platform key.
#
type platform_app, domain;
+permissive platform_app;
app_domain(platform_app)
platform_app_domain(platform_app)
# Access the network.
@@ -31,6 +32,7 @@
# Apps signed with the media key.
type media_app, domain;
+permissive media_app;
app_domain(media_app)
platform_app_domain(media_app)
# Access the network.
@@ -54,6 +56,7 @@
# Apps signed with the shared key.
type shared_app, domain;
+permissive shared_app;
app_domain(shared_app)
platform_app_domain(shared_app)
# Access the network.
@@ -65,6 +68,7 @@
# Apps signed with the release key (testkey in AOSP).
type release_app, domain;
+permissive release_app;
app_domain(release_app)
platform_app_domain(release_app)
# Access the network.
@@ -76,6 +80,7 @@
# In order for isolated_apps to interact with apps that have levelFromUid=true
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
+permissive isolated_app;
app_domain(isolated_app)
#
@@ -94,6 +99,7 @@
# Untrusted apps.
#
type untrusted_app, domain;
+permissive untrusted_app;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
diff --git a/bluetooth.te b/bluetooth.te
index a7b9a4e..e87065a 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
type bluetooth, domain;
+permissive bluetooth;
app_domain(bluetooth)
# Data file accesses.
diff --git a/bluetoothd.te b/bluetoothd.te
index 640a1da..1766038 100644
--- a/bluetoothd.te
+++ b/bluetoothd.te
@@ -1,5 +1,6 @@
# bluetoothd - bluetooth daemon
type bluetoothd, domain;
+permissive bluetoothd;
type bluetoothd_exec, exec_type, file_type;
init_daemon_domain(bluetoothd)
diff --git a/dbusd.te b/dbusd.te
index 6ffc836..56b1d75 100644
--- a/dbusd.te
+++ b/dbusd.te
@@ -1,5 +1,6 @@
# dbus daemon
type dbusd, domain;
+permissive dbusd;
type dbusd_exec, exec_type, file_type;
init_daemon_domain(dbusd)
diff --git a/debuggerd.te b/debuggerd.te
index aca499b..131c56c 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,6 @@
# debugger interface
type debuggerd, domain;
+permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index b806a89..a6e2036 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,5 @@
type dhcp, domain;
+permissive dhcp;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
type dhcp_system_file, file_type, data_file_type;
diff --git a/drmserver.te b/drmserver.te
index 0b34eb7..79f8613 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,6 @@
# drmserver - DRM service
type drmserver, domain;
+permissive drmserver;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
diff --git a/file_contexts b/file_contexts
index 19491f9..766bf59 100644
--- a/file_contexts
+++ b/file_contexts
@@ -172,6 +172,7 @@
/data/app-private/vmdl.*\.tmp u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/selinux(/.*)? u:object_r:tombstone_data_file:s0
# Misc data
/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/gpsd.te b/gpsd.te
index 8010efa..a7b2f1e 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,6 @@
# gpsd - GPS daemon
type gpsd, domain;
+permissive gpsd;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953..2a55d51 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,5 @@
type hci_attach, domain;
+permissive hci_attach;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
diff --git a/init.te b/init.te
index 0f9b697..9c1c8ce 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,6 @@
# init switches to init domain (via init.rc).
type init, domain;
+permissive init;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
diff --git a/installd.te b/installd.te
index 428e379..2b983db 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,6 @@
# installer daemon
type installd, domain;
+permissive installd;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
diff --git a/kernel.te b/kernel.te
index 66c7b13..5502ed8 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,4 +1,5 @@
# Life begins with the kernel.
type kernel, domain;
+permissive kernel;
# The kernel is unconfined.
unconfined_domain(kernel)
diff --git a/keystore.te b/keystore.te
index c44d254..e6eacf0 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,5 @@
type keystore, domain;
+permissive keystore;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/mediaserver.te b/mediaserver.te
index 3e78ce2..7d2b9cb 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,6 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
+permissive mediaserver;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index b458e69..4331cbf 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,6 @@
# vpn tunneling protocol manager
type mtp, domain;
+permissive mtp;
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index af7d15d..297f570 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,6 @@
# network manager
type netd, domain;
+permissive netd;
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 9a354bb..efb1a14 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,6 @@
# nfc subsystem
type nfc, domain;
+permissive nfc;
app_domain(nfc)
# NFC device access.
diff --git a/ping.te b/ping.te
index 5b8bc95..df9e624 100644
--- a/ping.te
+++ b/ping.te
@@ -1,4 +1,5 @@
type ping, domain;
+permissive ping;
type ping_exec, file_type;
domain_auto_trans(shell, ping_exec, ping)
diff --git a/ppp.te b/ppp.te
index 115fb98..85d37a7 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,6 @@
# Point to Point Protocol daemon
type ppp, domain;
+permissive ppp;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index ec6c816..ab99291 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,5 +1,6 @@
# qemu support daemon
type qemud, domain;
+permissive qemud;
type qemud_exec, exec_type, file_type;
init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 9f556e0..4cebb7b 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,6 @@
# IKE key management daemon
type racoon, domain;
+permissive racoon;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a119d75..9de8aba 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,6 @@
# phone subsystem
type radio, domain;
+permissive radio;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/rild.te b/rild.te
index b224bac..c2fcda9 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,6 @@
# rild - radio interface layer daemon
type rild, domain;
+permissive rild;
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
diff --git a/sdcardd.te b/sdcardd.te
index c798545..3e556c3 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,5 @@
type sdcardd, domain;
+permissive sdcardd;
type sdcardd_exec, exec_type, file_type;
init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index a78a485..dc0f15e 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,6 @@
# servicemanager - the Binder context manager
type servicemanager, domain;
+permissive servicemanager;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/su.te b/su.te
index 75e6214..ca9fcc2 100644
--- a/su.te
+++ b/su.te
@@ -1,4 +1,5 @@
type su, domain;
+permissive su;
type su_exec, file_type;
domain_auto_trans(shell, su_exec, su)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a383ec1..4244d01 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,6 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
+permissive surfaceflinger;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/system.te b/system.te
index 66a7afc..cef5cee 100644
--- a/system.te
+++ b/system.te
@@ -4,6 +4,7 @@
# server.
#
type system_app, domain;
+permissive system_app;
app_domain(system_app)
# Perform binder IPC to any app domain.
diff --git a/te_macros b/te_macros
index 6e6b0a4..278205e 100644
--- a/te_macros
+++ b/te_macros
@@ -232,6 +232,7 @@
define(`security_access_policy', `
allow $1 security_file:dir r_dir_perms;
allow $1 security_file:file r_file_perms;
+allow $1 security_file:lnk_file read;
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
diff --git a/tee.te b/tee.te
index d5e8ff7..dad3505 100644
--- a/tee.te
+++ b/tee.te
@@ -2,6 +2,7 @@
# trusted execution environment (tee) daemon
#
type tee, domain;
+permissive tee;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
diff --git a/ueventd.te b/ueventd.te
index fa03acf..2717182 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,7 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
+permissive ueventd;
tmpfs_domain(ueventd)
write_klog(ueventd)
security_access_policy(ueventd)
diff --git a/vold.te b/vold.te
index 8dd2137..fa76a55 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,6 @@
# volume manager
type vold, domain;
+permissive vold;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 18824cc..76f8244 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,6 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
+permissive watchdogd;
allow watchdogd rootfs:file { entrypoint r_file_perms };
allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name };
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index be1bf25..2c4ea60 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,5 +1,6 @@
# wpa - wpa supplicant or equivalent
type wpa, domain;
+permissive wpa;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 773318e..90a9b3d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,6 @@
# zygote
type zygote, domain;
+permissive zygote;
type zygote_exec, exec_type, file_type;
init_daemon_domain(zygote)