Move domains into per-domain permissive mode.

Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

Move domains into per-domain permissive mode.
Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
50e37b93 · repo sync · b77b3aff · 50e37b93 · 50e37b93 · 50e37b93
Commit 50e37b93 authored 11 years ago by repo sync
--- a/qemud.te
+++ b/qemud.te
 # qemu support daemon
 type qemud, domain;
+permissive qemud;
 type qemud_exec, exec_type, file_type;
 init_daemon_domain(qemud)

--- a/racoon.te
+++ b/racoon.te
 # IKE key management daemon
 type racoon, domain;
+permissive racoon;
 type racoon_exec, exec_type, file_type;
 init_daemon_domain(racoon)

--- a/radio.te
+++ b/radio.te
 # phone subsystem
 type radio, domain;
+permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)

--- a/rild.te
+++ b/rild.te
 # rild - radio interface layer daemon
 type rild, domain;
+permissive rild;
 type rild_exec, exec_type, file_type;
 init_daemon_domain(rild)

--- a/sdcardd.te
+++ b/sdcardd.te
 type sdcardd, domain;
+permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 init_daemon_domain(sdcardd)

--- a/servicemanager.te
+++ b/servicemanager.te
 # servicemanager - the Binder context manager
 type servicemanager, domain;
+permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 init_daemon_domain(servicemanager)

--- a/su.te
+++ b/su.te
 type su, domain;
+permissive su;
 type su_exec, file_type;
 domain_auto_trans(shell, su_exec, su)

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
+permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)

--- a/system.te
+++ b/system.te
@@ -4,6 +4,7 @@
 # server.
 #
 type system_app, domain;
+permissive system_app;
 app_domain(system_app)
 # Perform binder IPC to any app domain.

--- a/te_macros
+++ b/te_macros
@@ -232,6 +232,7 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
+allow $1 security_file:lnk_file read;
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;

--- a/tee.te
+++ b/tee.te
@@ -2,6 +2,7 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
+permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;

--- a/ueventd.te
+++ b/ueventd.te
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
+permissive ueventd;
 tmpfs_domain(ueventd)
 write_klog(ueventd)
 security_access_policy(ueventd)

--- a/vold.te
+++ b/vold.te
 # volume manager
 type vold, domain;
+permissive vold;
 type vold_exec, exec_type, file_type;
 init_daemon_domain(vold)

--- a/watchdogd.te
+++ b/watchdogd.te
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
+permissive watchdogd;
 allow watchdogd rootfs:file { entrypoint r_file_perms };
 allow watchdogd self:capability mknod;
 allow watchdogd device:dir { add_name write remove_name };

--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
+permissive wpa;
 type wpa_exec, exec_type, file_type;
 init_daemon_domain(wpa)

--- a/zygote.te
+++ b/zygote.te
 # zygote
 type zygote, domain;
+permissive zygote;
 type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)