Restore app_domain macro and move to private use.

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

private/bluetooth.te

@@ -3,7 +3,4 @@
 # Socket creation under /data/misc/bluedroid.
 type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
 
-# app_domain macro fallout
-tmpfs_domain(bluetooth)
-# Map with PROT_EXEC.
-allow bluetooth bluetooth_tmpfs:file execute;
+app_domain(bluetooth)

private/isolated_app.te

-# app_domain fallout
-tmpfs_domain(isolated_app)
-# Map with PROT_EXEC.
-allow isolated_app isolated_app_tmpfs:file execute;
+app_domain(isolated_app)
 
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;

private/nfc.te

-# app_domain_fallout
-tmpfs_domain(nfc)
+app_domain(nfc)
\ No newline at end of file
-# Map with PROT_EXEC.
-allow nfc nfc_tmpfs:file execute;

private/platform_app.te

-# app_domain fallout
-tmpfs_domain(platform_app)
+app_domain(platform_app)
\ No newline at end of file
-# Map with PROT_EXEC.
-allow platform_app platform_app_tmpfs:file execute;

private/priv_app.te

-# app_domain fallout
-tmpfs_domain(priv_app)
-# Map with PROT_EXEC.
-allow priv_app priv_app_tmpfs:file execute;
+app_domain(priv_app)
 
 # Allow the allocation and use of ptys
 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm

private/radio.te

-# app_domain fallout
-tmpfs_domain(radio)
+app_domain(radio)
\ No newline at end of file
-# Map with PROT_EXEC.
-allow radio radio_tmpfs:file execute;

private/shared_relro.te

-# app_domain fallout
-tmpfs_domain(shared_relro)
-# Map with PROT_EXEC.
-allow shared_relro shared_relro_tmpfs:file execute;
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)

private/shell.te

@@ -4,7 +4,6 @@ allow shell debugfs_tracing:file rw_file_perms;
 allow shell debugfs_trace_marker:file getattr;
 allow shell atrace_exec:file rx_file_perms;
 
-# app_domain fallout
-tmpfs_domain(shell)
-# Map with PROT_EXEC.
-allow shell shell_tmpfs:file execute;
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)

private/su.te

@@ -11,8 +11,5 @@ userdebug_or_eng(`
 # su is also permissive to permit setenforce.
   permissive su;
 
-  # app_domain fallout
-  tmpfs_domain(su)
-  # Map with PROT_EXEC.
-  allow su su_tmpfs:file execute;
+  app_domain(su)
 ')

private/system_app.te

-# app_domain fallout
-tmpfs_domain(system_app)
-# Map with PROT_EXEC.
-allow system_app system_app_tmpfs:file execute;
+app_domain(system_app)

private/untrusted_app.te

-# app_domain fallout
-tmpfs_domain(untrusted_app)
-# Map with PROT_EXEC.
-allow untrusted_app untrusted_app_tmpfs:file execute;
+app_domain(untrusted_app)
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm

public/bluetooth.te

 # bluetooth subsystem
 type bluetooth, domain, domain_deprecated;
-app_domain(bluetooth)
+
 net_domain(bluetooth)
 # Allow access to net_admin ioctls
 allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;

public/isolated_app.te

@@ -10,7 +10,6 @@
 ###
 
 type isolated_app, domain;
-app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app app_data_file:file { append read write getattr lock };

public/nfc.te

 # nfc subsystem
 type nfc, domain, domain_deprecated;
-app_domain(nfc)
+
 net_domain(nfc)
 binder_service(nfc)
 

public/platform_app.te

@@ -3,7 +3,7 @@
 ###
 
 type platform_app, domain, domain_deprecated;
-app_domain(platform_app)
+
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.

public/priv_app.te

@@ -2,7 +2,7 @@
 ### A domain for further sandboxing privileged apps.
 ###
 type priv_app, domain, domain_deprecated;
-app_domain(priv_app)
+
 # Access the network.
 net_domain(priv_app)
 # Access bluetooth.

public/radio.te

 # phone subsystem
 type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
+
 net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)

public/shared_relro.te

 # Process which creates/updates shared RELRO files to be used by other apps.
 type shared_relro, domain, domain_deprecated;
 
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;

public/shell.te

@@ -5,10 +5,6 @@ type shell_exec, exec_type, file_type;
 # Create and use network sockets.
 net_domain(shell)
 
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
 # logcat
 read_logd(shell)
 control_logd(shell)

public/su.te

@@ -9,7 +9,6 @@ userdebug_or_eng(`
 
   # Add su to various domains
   net_domain(su)
-  app_domain(su)
 
   dontaudit su self:capability_class_set *;
   dontaudit su kernel:security *;