Move domains into per-domain permissive mode.

Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

Move domains into per-domain permissive mode.
Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
50e37b93 · repo sync · b77b3aff · 50e37b93 · 50e37b93 · 50e37b93
Commit 50e37b93 authored 11 years ago by repo sync
--- a/app.te
+++ b/app.te
@@ -7,6 +7,7 @@
 # Apps signed with the platform key.
 #
 type platform_app, domain;
+permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
@@ -31,6 +32,7 @@ allow platform_app download_file:file rw_file_perms;

 # Apps signed with the media key.
 type media_app, domain;
+permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
@@ -54,6 +56,7 @@ allow media_app download_file:dir relabelto;

 # Apps signed with the shared key.
 type shared_app, domain;
+permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
@@ -65,6 +68,7 @@ r_dir_file(shared_app, asec_apk_file)

 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
+permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
@@ -76,6 +80,7 @@ bluetooth_domain(release_app)
 # In order for isolated_apps to interact with apps that have levelFromUid=true
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
+permissive isolated_app;
 app_domain(isolated_app)

 #
@@ -94,6 +99,7 @@ allow platformappdomain sdcard_type:file create_file_perms;
 # Untrusted apps.
 #
 type untrusted_app, domain;
+permissive untrusted_app;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)

--- a/bluetooth.te
+++ b/bluetooth.te
 # bluetooth subsystem
 type bluetooth, domain;
+permissive bluetooth;
 app_domain(bluetooth)

 # Data file accesses.

--- a/bluetoothd.te
+++ b/bluetoothd.te
 # bluetoothd - bluetooth daemon
 type bluetoothd, domain;
+permissive bluetoothd;
 type bluetoothd_exec, exec_type, file_type;

 init_daemon_domain(bluetoothd)

--- a/dbusd.te
+++ b/dbusd.te
 # dbus daemon
 type dbusd, domain;
+permissive dbusd;
 type dbusd_exec, exec_type, file_type;

 init_daemon_domain(dbusd)

--- a/debuggerd.te
+++ b/debuggerd.te
 # debugger interface
 type debuggerd, domain;
+permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;

 init_daemon_domain(debuggerd)

--- a/dhcp.te
+++ b/dhcp.te
 type dhcp, domain;
+permissive dhcp;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;

--- a/drmserver.te
+++ b/drmserver.te
 # drmserver - DRM service
 type drmserver, domain;
+permissive drmserver;
 type drmserver_exec, exec_type, file_type;

 init_daemon_domain(drmserver)

--- a/file_contexts
+++ b/file_contexts
@@ -172,6 +172,7 @@
 /data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/selinux(/.*)?   u:object_r:tombstone_data_file:s0
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0

--- a/gpsd.te
+++ b/gpsd.te
 # gpsd - GPS daemon
 type gpsd, domain;
+permissive gpsd;
 type gpsd_exec, exec_type, file_type;

 init_daemon_domain(gpsd)

--- a/hci_attach.te
+++ b/hci_attach.te
 type hci_attach, domain;
+permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;

 init_daemon_domain(hci_attach)

--- a/init.te
+++ b/init.te
 # init switches to init domain (via init.rc).
 type init, domain;
+permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
--- a/installd.te
+++ b/installd.te
 # installer daemon
 type installd, domain;
+permissive installd;
 type installd_exec, exec_type, file_type;

 init_daemon_domain(installd)

--- a/kernel.te
+++ b/kernel.te
 # Life begins with the kernel.
 type kernel, domain;
+permissive kernel;
 # The kernel is unconfined.
 unconfined_domain(kernel)
--- a/keystore.te
+++ b/keystore.te
 type keystore, domain;
+permissive keystore;
 type keystore_exec, exec_type, file_type;

 # keystore daemon

--- a/mediaserver.te
+++ b/mediaserver.te
 # mediaserver - multimedia daemon
 type mediaserver, domain;
+permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;

 typeattribute mediaserver mlstrustedsubject;

--- a/mtp.te
+++ b/mtp.te
 # vpn tunneling protocol manager
 type mtp, domain;
+permissive mtp;
 type mtp_exec, exec_type, file_type;

 init_daemon_domain(mtp)

--- a/netd.te
+++ b/netd.te
 # network manager
 type netd, domain;
+permissive netd;
 type netd_exec, exec_type, file_type;

 init_daemon_domain(netd)

--- a/nfc.te
+++ b/nfc.te
 # nfc subsystem
 type nfc, domain;
+permissive nfc;
 app_domain(nfc)

 # NFC device access.

--- a/ping.te
+++ b/ping.te
 type ping, domain;
+permissive ping;
 type ping_exec, file_type;
 domain_auto_trans(shell, ping_exec, ping)


--- a/ppp.te
+++ b/ppp.te
 # Point to Point Protocol daemon
 type ppp, domain;
+permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;