Clarify the expectations for the unconfined template.

In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f

te_macros

@@ -72,7 +72,9 @@ allow $1 $2:{ file lnk_file } r_file_perms;
 
 #####################################
 # unconfined_domain(domain)
-# Allow the specified domain to do anything.
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
 #
 define(`unconfined_domain', `
 typeattribute $1 mlstrustedsubject;

unconfined.te

+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;