Vendor domains must not use Binder am: f5446eb1 am: 2fe065d7

am: 49ce4394 Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26

Vendor domains must not use Binder am: f5446eb1 am: 2fe065d7
am: 49ce4394 Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26
68e6109d · Alex Klyubin · android-build-merger · 463f9a49 · 49ce4394 · 68e6109d
Commit 68e6109d authored 8 years ago by Alex Klyubin Committed by android-build-merger 8 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
 		-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
 		-D target_arch=$(PRIVATE_TGT_ARCH) \
 		-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+		-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit

--- a/private/adbd.te
+++ b/private/adbd.te
 ### ADB daemon
+typeattribute adbd coredomain;
 typeattribute adbd mlstrustedsubject;
 domain_auto_trans(adbd, shell_exec, shell)

--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
 type atrace_exec, exec_type, file_type;
 userdebug_or_eng(`
-  type atrace, domain, domain_deprecated;
+  type atrace, domain, coredomain, domain_deprecated;
  init_daemon_domain(atrace)

--- a/private/audioserver.te
+++ b/private/audioserver.te
 # audioserver - audio services daemon
+typeattribute audioserver coredomain;
 type audioserver_exec, exec_type, file_type;
 init_daemon_domain(audioserver)

--- a/private/binder_in_vendor_violators.te
+++ b/private/binder_in_vendor_violators.te
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
--- a/private/blkid.te
+++ b/private/blkid.te
 # blkid called from vold
+typeattribute blkid coredomain;
 type blkid_exec, exec_type, file_type;
 # Allowed read-only access to encrypted devices to extract UUID/label

--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
 # blkid for untrusted block devices
+typeattribute blkid_untrusted coredomain;
 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;
 allow blkid_untrusted vold_device:blk_file r_file_perms;

--- a/private/bluetooth.te
+++ b/private/bluetooth.te
 # bluetooth subsystem
+typeattribute bluetooth coredomain;
 typeattribute bluetooth domain_deprecated;
 app_domain(bluetooth)

--- a/private/bootanim.te
+++ b/private/bootanim.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute bootanim coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(bootanim)
--- a/private/bootstat.te
+++ b/private/bootstat.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute bootstat coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(bootstat)
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
+typeattribute bufferhubd coredomain;
 init_daemon_domain(bufferhubd)
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute cameraserver coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(cameraserver)
--- a/private/charger.te
+++ b/private/charger.te
+typeattribute charger coredomain;
--- a/private/clatd.te
+++ b/private/clatd.te
+typeattribute clatd coredomain;
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute cppreopts coredomain;
-# public, but conceptually should go with this
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(cppreopts)

--- a/private/crash_dump.te
+++ b/private/crash_dump.te
+typeattribute crash_dump coredomain;
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
+typeattribute dex2oat coredomain;
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
 # dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, exec_type, file_type;
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.

--- a/private/dhcp.te
+++ b/private/dhcp.te
-# type_transition must be private policy the domain_trans rules could stay
+typeattribute dhcp coredomain;
-# public, but conceptually should go with this
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
--- a/private/dnsmasq.te
+++ b/private/dnsmasq.te
+typeattribute dnsmasq coredomain;