From cc39f637734a8d84bc861b649bfd109290c06401 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 22 Jul 2016 13:13:11 -0700
Subject: [PATCH] Split general policy into public and private components.
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
---
Android.mk | 96 ++++++++++++++-----
access_vectors => private/access_vectors | 0
private/adbd.te | 3 +
private/android_hardware_nfc_1_0_service.te | 2 +
atrace.te => private/atrace.te | 0
private/audioserver.te | 3 +
private/autoplay_app.te | 5 +
private/bluetooth.te | 4 +
private/bootanim.te | 3 +
private/bootstat.te | 3 +
private/cameraserver.te | 3 +
private/cppreopts.te | 6 ++
private/debuggerd.te | 3 +
private/dhcp.te | 4 +
private/drmserver.te | 3 +
private/dumpstate.te | 6 ++
file_contexts => private/file_contexts | 0
.../file_contexts_asan | 0
private/fingerprintd.te | 3 +
fs_use => private/fs_use | 0
private/fsck.te | 3 +
private/gatekeeperd.te | 3 +
genfs_contexts => private/genfs_contexts | 0
private/hci_attach.te | 3 +
private/hostapd.te | 3 +
private/hwservicemanager.te | 3 +
private/init.te | 18 ++++
.../initial_sid_contexts | 0
initial_sids => private/initial_sids | 0
private/inputflinger.te | 3 +
private/install_recovery.te | 3 +
private/installd.te | 12 +++
private/kernel.te | 3 +
keys.conf => private/keys.conf | 0
private/keystore.te | 3 +
private/lmkd.te | 3 +
private/logd.te | 3 +
.../mac_permissions.xml | 0
private/mdnsd.te | 3 +
private/mediacodec.te | 3 +
private/mediadrmserver.te | 3 +
private/mediaextractor.te | 3 +
private/mediaserver.te | 3 +
mls => private/mls | 0
mls_macros => private/mls_macros | 0
private/mtp.te | 3 +
private/netd.te | 9 ++
private/otapreopt_chroot.te | 4 +
private/otapreopt_slot.te | 5 +
perfprofd.te => private/perfprofd.te | 0
.../policy_capabilities | 0
port_contexts => private/port_contexts | 0
private/postinstall.te | 3 +
private/postinstall_dexopt.te | 5 +
private/ppp.te | 3 +
.../property_contexts | 0
private/racoon.te | 3 +
private/recovery_persist.te | 3 +
private/recovery_refresh.te | 3 +
private/rild.te | 3 +
roles => private/roles | 0
private/runas.te | 4 +
private/sdcardd.te | 3 +
seapp_contexts => private/seapp_contexts | 0
security_classes => private/security_classes | 0
service_contexts => private/service_contexts | 0
private/servicemanager.te | 3 +
su.te => private/su.te | 0
private/surfaceflinger.te | 3 +
private/system_server.te | 6 ++
private/tee.te | 3 +
private/toolbox.te | 3 +
private/tzdatacheck.te | 3 +
private/ueventd.te | 3 +
private/uncrypt.te | 3 +
private/update_engine.te | 3 +
private/update_engine_common.te | 5 +
private/update_verifier.te | 3 +
users => private/users | 0
private/vdc.te | 3 +
private/vold.te | 19 ++++
private/wifi_hal_legacy.te | 3 +
private/wificond.te | 3 +
private/wpa.te | 6 ++
private/zygote.te | 3 +
adbd.te => public/adbd.te | 2 -
.../android_hardware_nfc_1_0_service.te | 3 -
app.te => public/app.te | 0
attributes => public/attributes | 0
audioserver.te => public/audioserver.te | 2 -
autoplay_app.te => public/autoplay_app.te | 3 -
.../binderservicedomain.te | 0
blkid.te => public/blkid.te | 0
.../blkid_untrusted.te | 0
bluetooth.te => public/bluetooth.te | 1 -
.../bluetoothdomain.te | 0
.../boot_control_hal.te | 0
bootanim.te => public/bootanim.te | 2 -
bootstat.te => public/bootstat.te | 2 -
cameraserver.te => public/cameraserver.te | 2 -
clatd.te => public/clatd.te | 0
cppreopts.te => public/cppreopts.te | 6 --
debuggerd.te => public/debuggerd.te | 1 -
device.te => public/device.te | 0
dex2oat.te => public/dex2oat.te | 0
dhcp.te => public/dhcp.te | 2 -
dnsmasq.te => public/dnsmasq.te | 0
domain.te => public/domain.te | 0
.../domain_deprecated.te | 0
drmserver.te => public/drmserver.te | 1 -
dumpstate.te => public/dumpstate.te | 4 -
file.te => public/file.te | 0
fingerprintd.te => public/fingerprintd.te | 2 -
fsck.te => public/fsck.te | 2 -
fsck_untrusted.te => public/fsck_untrusted.te | 0
gatekeeperd.te => public/gatekeeperd.te | 1 -
global_macros => public/global_macros | 0
hci_attach.te => public/hci_attach.te | 2 -
healthd.te => public/healthd.te | 0
hostapd.te => public/hostapd.te | 2 +-
.../hwservicemanager.te | 2 -
idmap.te => public/idmap.te | 0
init.te => public/init.te | 16 ----
inputflinger.te => public/inputflinger.te | 1 -
.../install_recovery.te | 2 -
installd.te => public/installd.te | 11 ---
ioctl_defines => public/ioctl_defines | 0
ioctl_macros => public/ioctl_macros | 0
isolated_app.te => public/isolated_app.te | 0
kernel.te => public/kernel.te | 2 -
keystore.te => public/keystore.te | 1 -
lmkd.te => public/lmkd.te | 2 -
logd.te => public/logd.te | 2 -
mdnsd.te => public/mdnsd.te | 1 -
mediacodec.te => public/mediacodec.te | 2 -
mediadrmserver.te => public/mediadrmserver.te | 2 -
mediaextractor.te => public/mediaextractor.te | 2 -
mediaserver.te => public/mediaserver.te | 1 -
mtp.te => public/mtp.te | 1 -
net.te => public/net.te | 0
netd.te => public/netd.te | 3 -
neverallow_macros => public/neverallow_macros | 0
nfc.te => public/nfc.te | 0
.../otapreopt_chroot.te | 3 -
otapreopt_slot.te => public/otapreopt_slot.te | 3 -
platform_app.te => public/platform_app.te | 0
postinstall.te => public/postinstall.te | 2 -
.../postinstall_dexopt.te | 4 -
ppp.te => public/ppp.te | 1 -
.../preopt2cachename.te | 0
priv_app.te => public/priv_app.te | 0
profman.te => public/profman.te | 0
property.te => public/property.te | 0
racoon.te => public/racoon.te | 1 -
radio.te => public/radio.te | 0
recovery.te => public/recovery.te | 0
.../recovery_persist.te | 2 -
.../recovery_refresh.te | 2 -
rild.te => public/rild.te | 1 -
runas.te => public/runas.te | 2 -
sdcardd.te => public/sdcardd.te | 1 -
service.te => public/service.te | 0
servicemanager.te => public/servicemanager.te | 2 -
sgdisk.te => public/sgdisk.te | 0
shared_relro.te => public/shared_relro.te | 0
shell.te => public/shell.te | 0
slideshow.te => public/slideshow.te | 0
surfaceflinger.te => public/surfaceflinger.te | 1 -
system_app.te => public/system_app.te | 0
system_server.te => public/system_server.te | 4 -
te_macros => public/te_macros | 0
tee.te => public/tee.te | 1 -
toolbox.te => public/toolbox.te | 2 -
tzdatacheck.te => public/tzdatacheck.te | 2 -
ueventd.te => public/ueventd.te | 1 -
uncrypt.te => public/uncrypt.te | 2 -
untrusted_app.te => public/untrusted_app.te | 0
update_engine.te => public/update_engine.te | 1 -
.../update_engine_common.te | 3 -
.../update_verifier.te | 2 -
vdc.te => public/vdc.te | 2 -
vold.te => public/vold.te | 18 ----
watchdogd.te => public/watchdogd.te | 0
.../wifi_hal_legacy.te | 3 -
wificond.te => public/wificond.te | 2 -
wpa.te => public/wpa.te | 3 -
zygote.te => public/zygote.te | 1 -
187 files changed, 330 insertions(+), 184 deletions(-)
rename access_vectors => private/access_vectors (100%)
create mode 100644 private/adbd.te
create mode 100644 private/android_hardware_nfc_1_0_service.te
rename atrace.te => private/atrace.te (100%)
create mode 100644 private/audioserver.te
create mode 100644 private/autoplay_app.te
create mode 100644 private/bluetooth.te
create mode 100644 private/bootanim.te
create mode 100644 private/bootstat.te
create mode 100644 private/cameraserver.te
create mode 100644 private/cppreopts.te
create mode 100644 private/debuggerd.te
create mode 100644 private/dhcp.te
create mode 100644 private/drmserver.te
create mode 100644 private/dumpstate.te
rename file_contexts => private/file_contexts (100%)
rename file_contexts_asan => private/file_contexts_asan (100%)
create mode 100644 private/fingerprintd.te
rename fs_use => private/fs_use (100%)
create mode 100644 private/fsck.te
create mode 100644 private/gatekeeperd.te
rename genfs_contexts => private/genfs_contexts (100%)
create mode 100644 private/hci_attach.te
create mode 100644 private/hostapd.te
create mode 100644 private/hwservicemanager.te
create mode 100644 private/init.te
rename initial_sid_contexts => private/initial_sid_contexts (100%)
rename initial_sids => private/initial_sids (100%)
create mode 100644 private/inputflinger.te
create mode 100644 private/install_recovery.te
create mode 100644 private/installd.te
create mode 100644 private/kernel.te
rename keys.conf => private/keys.conf (100%)
create mode 100644 private/keystore.te
create mode 100644 private/lmkd.te
create mode 100644 private/logd.te
rename mac_permissions.xml => private/mac_permissions.xml (100%)
create mode 100644 private/mdnsd.te
create mode 100644 private/mediacodec.te
create mode 100644 private/mediadrmserver.te
create mode 100644 private/mediaextractor.te
create mode 100644 private/mediaserver.te
rename mls => private/mls (100%)
rename mls_macros => private/mls_macros (100%)
create mode 100644 private/mtp.te
create mode 100644 private/netd.te
create mode 100644 private/otapreopt_chroot.te
create mode 100644 private/otapreopt_slot.te
rename perfprofd.te => private/perfprofd.te (100%)
rename policy_capabilities => private/policy_capabilities (100%)
rename port_contexts => private/port_contexts (100%)
create mode 100644 private/postinstall.te
create mode 100644 private/postinstall_dexopt.te
create mode 100644 private/ppp.te
rename property_contexts => private/property_contexts (100%)
create mode 100644 private/racoon.te
create mode 100644 private/recovery_persist.te
create mode 100644 private/recovery_refresh.te
create mode 100644 private/rild.te
rename roles => private/roles (100%)
create mode 100644 private/runas.te
create mode 100644 private/sdcardd.te
rename seapp_contexts => private/seapp_contexts (100%)
rename security_classes => private/security_classes (100%)
rename service_contexts => private/service_contexts (100%)
create mode 100644 private/servicemanager.te
rename su.te => private/su.te (100%)
create mode 100644 private/surfaceflinger.te
create mode 100644 private/system_server.te
create mode 100644 private/tee.te
create mode 100644 private/toolbox.te
create mode 100644 private/tzdatacheck.te
create mode 100644 private/ueventd.te
create mode 100644 private/uncrypt.te
create mode 100644 private/update_engine.te
create mode 100644 private/update_engine_common.te
create mode 100644 private/update_verifier.te
rename users => private/users (100%)
create mode 100644 private/vdc.te
create mode 100644 private/vold.te
create mode 100644 private/wifi_hal_legacy.te
create mode 100644 private/wificond.te
create mode 100644 private/wpa.te
create mode 100644 private/zygote.te
rename adbd.te => public/adbd.te (98%)
rename android_hardware_nfc_1_0_service.te => public/android_hardware_nfc_1_0_service.te (89%)
rename app.te => public/app.te (100%)
rename attributes => public/attributes (100%)
rename audioserver.te => public/audioserver.te (98%)
rename autoplay_app.te => public/autoplay_app.te (96%)
rename binderservicedomain.te => public/binderservicedomain.te (100%)
rename blkid.te => public/blkid.te (100%)
rename blkid_untrusted.te => public/blkid_untrusted.te (100%)
rename bluetooth.te => public/bluetooth.te (97%)
rename bluetoothdomain.te => public/bluetoothdomain.te (100%)
rename boot_control_hal.te => public/boot_control_hal.te (100%)
rename bootanim.te => public/bootanim.te (96%)
rename bootstat.te => public/bootstat.te (91%)
rename cameraserver.te => public/cameraserver.te (97%)
rename clatd.te => public/clatd.te (100%)
rename cppreopts.te => public/cppreopts.te (80%)
rename debuggerd.te => public/debuggerd.te (98%)
rename device.te => public/device.te (100%)
rename dex2oat.te => public/dex2oat.te (100%)
rename dhcp.te => public/dhcp.te (92%)
rename dnsmasq.te => public/dnsmasq.te (100%)
rename domain.te => public/domain.te (100%)
rename domain_deprecated.te => public/domain_deprecated.te (100%)
rename drmserver.te => public/drmserver.te (98%)
rename dumpstate.te => public/dumpstate.te (98%)
rename file.te => public/file.te (100%)
rename fingerprintd.te => public/fingerprintd.te (94%)
rename fsck.te => public/fsck.te (98%)
rename fsck_untrusted.te => public/fsck_untrusted.te (100%)
rename gatekeeperd.te => public/gatekeeperd.te (97%)
rename global_macros => public/global_macros (100%)
rename hci_attach.te => public/hci_attach.te (90%)
rename healthd.te => public/healthd.te (100%)
rename hostapd.te => public/hostapd.te (97%)
rename hwservicemanager.te => public/hwservicemanager.te (95%)
rename idmap.te => public/idmap.te (100%)
rename init.te => public/init.te (96%)
rename inputflinger.te => public/inputflinger.te (93%)
rename install_recovery.te => public/install_recovery.te (96%)
rename installd.te => public/installd.te (94%)
rename ioctl_defines => public/ioctl_defines (100%)
rename ioctl_macros => public/ioctl_macros (100%)
rename isolated_app.te => public/isolated_app.te (100%)
rename kernel.te => public/kernel.te (98%)
rename keystore.te => public/keystore.te (97%)
rename lmkd.te => public/lmkd.te (97%)
rename logd.te => public/logd.te (98%)
rename mdnsd.te => public/mdnsd.te (86%)
rename mediacodec.te => public/mediacodec.te (96%)
rename mediadrmserver.te => public/mediadrmserver.te (98%)
rename mediaextractor.te => public/mediaextractor.te (95%)
rename mediaserver.te => public/mediaserver.te (99%)
rename mtp.te => public/mtp.te (92%)
rename net.te => public/net.te (100%)
rename netd.te => public/netd.te (97%)
rename neverallow_macros => public/neverallow_macros (100%)
rename nfc.te => public/nfc.te (100%)
rename otapreopt_chroot.te => public/otapreopt_chroot.te (84%)
rename otapreopt_slot.te => public/otapreopt_slot.te (89%)
rename platform_app.te => public/platform_app.te (100%)
rename postinstall.te => public/postinstall.te (95%)
rename postinstall_dexopt.te => public/postinstall_dexopt.te (91%)
rename ppp.te => public/ppp.te (92%)
rename preopt2cachename.te => public/preopt2cachename.te (100%)
rename priv_app.te => public/priv_app.te (100%)
rename profman.te => public/profman.te (100%)
rename property.te => public/property.te (100%)
rename racoon.te => public/racoon.te (97%)
rename radio.te => public/radio.te (100%)
rename recovery.te => public/recovery.te (100%)
rename recovery_persist.te => public/recovery_persist.te (96%)
rename recovery_refresh.te => public/recovery_refresh.te (96%)
rename rild.te => public/rild.te (98%)
rename runas.te => public/runas.te (92%)
rename sdcardd.te => public/sdcardd.te (94%)
rename service.te => public/service.te (100%)
rename servicemanager.te => public/servicemanager.te (94%)
rename sgdisk.te => public/sgdisk.te (100%)
rename shared_relro.te => public/shared_relro.te (100%)
rename shell.te => public/shell.te (100%)
rename slideshow.te => public/slideshow.te (100%)
rename surfaceflinger.te => public/surfaceflinger.te (98%)
rename system_app.te => public/system_app.te (100%)
rename system_server.te => public/system_server.te (99%)
rename te_macros => public/te_macros (100%)
rename tee.te => public/tee.te (96%)
rename toolbox.te => public/toolbox.te (97%)
rename tzdatacheck.te => public/tzdatacheck.te (87%)
rename ueventd.te => public/ueventd.te (99%)
rename uncrypt.te => public/uncrypt.te (97%)
rename untrusted_app.te => public/untrusted_app.te (100%)
rename update_engine.te => public/update_engine.te (97%)
rename update_engine_common.te => public/update_engine_common.te (87%)
rename update_verifier.te => public/update_verifier.te (93%)
rename vdc.te => public/vdc.te (96%)
rename vold.te => public/vold.te (90%)
rename watchdogd.te => public/watchdogd.te (100%)
rename wifi_hal_legacy.te => public/wifi_hal_legacy.te (91%)
rename wificond.te => public/wificond.te (98%)
rename wpa.te => public/wpa.te (95%)
rename zygote.te => public/zygote.te (99%)
diff --git a/Android.mk b/Android.mk
index 6a4b8a427..7bfe1a7dd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -26,13 +26,49 @@ ifdef BOARD_SEPOLICY_M4DEFS
LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
endif
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH.
-# $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+# sepolicy is now divided into multiple portions:
+# public - policy exported on which non-platform policy developers may write
+# additional policy. types and attributes are versioned and included in
+# delivered non-platform policy, which is to be combined with platform policy.
+# private - platform-only policy required for platform functionality but which
+# is not exported to vendor policy developers and as such may not be assumed
+# to exist.
+# mapping - TODO. This contains policy statements which map the attributes
+# exposed in the public policy of previous versions to the concrete types used
+# in this policy to ensure that policy targeting attributes from public
+# policy from an older platform version continues to work.
+
+# TODO - build process for device:
+# 1) convert policies to CIL:
+# - private + public platform policy to CIL
+# - mapping file to CIL (should already be in CIL form)
+# - non-platform public policy to CIL
+# - non-platform public + private policy to CIL
+# 2) attributize policy
+# - TODO: do this for platform policy?
+# - run script which takes non-platform public and non-platform combined
+# private + public policy and produces attributized and versioned
+# non-platform policy
+# 3) combine policy files
+# - combine mapping, platform and non-platform policy.
+# - compile output binary policy file
+
+PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+
+###########################################################
+# Compute policy files to be used in policy build.
+# $(1): files to include
+# $(2): directories in which to find files
+###########################################################
+
+define build_policy
+$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+endef
# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+build_device_policy = $(call build_policy, $(1), $(BOARD_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -92,11 +128,28 @@ endif
include $(BUILD_SYSTEM)/base_rules.mk
+platform_policy.conf := $(intermediates)/plat_policy.conf
+$(platform_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(platform_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(platform_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(platform_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+ -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+# TODO: add steps for non-platform public and combined files with checkpolicy
+# support. b/31932523
+
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -135,7 +188,8 @@ sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -168,12 +222,10 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
-exp_sepolicy_build_files :=\
- $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file))))
-
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=user \
@@ -223,9 +275,9 @@ include $(BUILD_SYSTEM)/base_rules.mk
# Note: That a newline file is placed between each file_context file found to
# ensure a proper build when an fc file is missing an ending newline.
-local_fc_files := $(LOCAL_PATH)/file_contexts
+local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
ifneq ($(filter address,$(SANITIZE_TARGET)),)
- local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan
+ local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
endif
local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
@@ -281,7 +333,7 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
+$(general_file_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, file_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -302,7 +354,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(call build_policy, seapp_contexts)
+all_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
@@ -321,7 +373,7 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
-all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+all_sc_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
@@ -339,7 +391,7 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+$(LOCAL_BUILT_MODULE): $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
@mkdir -p $(dir $@)
- $(hide) grep -ie '^neverallow' $< > $@
@@ -354,7 +406,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-all_pc_files := $(call build_policy, property_contexts)
+all_pc_files := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl))
property_contexts.tmp := $(intermediates)/property_contexts.tmp
@@ -386,7 +438,7 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp
-$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts)
+$(general_property_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, property_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -408,7 +460,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-all_svc_files := $(call build_policy, service_contexts)
+all_svc_files := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
service_contexts.tmp := $(intermediates)/service_contexts.tmp
@@ -439,7 +491,7 @@ LOCAL_MODULE_TAGS := tests
include $(BUILD_SYSTEM)/base_rules.mk
general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts)
+$(general_service_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, service_contexts)
@mkdir -p $(dir $@)
$(hide) m4 -s $< > $@
@@ -464,11 +516,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
# Build keys.conf
mac_perms_keys.tmp := $(intermediates)/keys.tmp
$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
+$(mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
+all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE), $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
# Should be synced with keys.conf.
all_keys := platform media shared testkey
diff --git a/access_vectors b/private/access_vectors
similarity index 100%
rename from access_vectors
rename to private/access_vectors
diff --git a/private/adbd.te b/private/adbd.te
new file mode 100644
index 000000000..cabaf66d5
--- /dev/null
+++ b/private/adbd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/android_hardware_nfc_1_0_service.te b/private/android_hardware_nfc_1_0_service.te
new file mode 100644
index 000000000..43368f8ad
--- /dev/null
+++ b/private/android_hardware_nfc_1_0_service.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_nfc_1_0_service)
diff --git a/atrace.te b/private/atrace.te
similarity index 100%
rename from atrace.te
rename to private/atrace.te
diff --git a/private/audioserver.te b/private/audioserver.te
new file mode 100644
index 000000000..64178583a
--- /dev/null
+++ b/private/audioserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(audioserver)
diff --git a/private/autoplay_app.te b/private/autoplay_app.te
new file mode 100644
index 000000000..2e0ec0e4d
--- /dev/null
+++ b/private/autoplay_app.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define and allow access to our own type for ashmem regions.
+# Label ashmem objects with our own unique type.
+tmpfs_domain(autoplay_app)
diff --git a/private/bluetooth.te b/private/bluetooth.te
new file mode 100644
index 000000000..0abaee66b
--- /dev/null
+++ b/private/bluetooth.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
diff --git a/private/bootanim.te b/private/bootanim.te
new file mode 100644
index 000000000..94fbc1f4f
--- /dev/null
+++ b/private/bootanim.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
new file mode 100644
index 000000000..caa82fd62
--- /dev/null
+++ b/private/bootstat.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootstat)
diff --git a/private/cameraserver.te b/private/cameraserver.te
new file mode 100644
index 000000000..b34d74608
--- /dev/null
+++ b/private/cameraserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(cameraserver)
diff --git a/private/cppreopts.te b/private/cppreopts.te
new file mode 100644
index 000000000..02c13b3a0
--- /dev/null
+++ b/private/cppreopts.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/private/debuggerd.te b/private/debuggerd.te
new file mode 100644
index 000000000..bd835af55
--- /dev/null
+++ b/private/debuggerd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(debuggerd)
diff --git a/private/dhcp.te b/private/dhcp.te
new file mode 100644
index 000000000..67451896e
--- /dev/null
+++ b/private/dhcp.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/drmserver.te b/private/drmserver.te
new file mode 100644
index 000000000..340c454f8
--- /dev/null
+++ b/private/drmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(drmserver)
diff --git a/private/dumpstate.te b/private/dumpstate.te
new file mode 100644
index 000000000..ad646f4be
--- /dev/null
+++ b/private/dumpstate.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/private/file_contexts
similarity index 100%
rename from file_contexts
rename to private/file_contexts
diff --git a/file_contexts_asan b/private/file_contexts_asan
similarity index 100%
rename from file_contexts_asan
rename to private/file_contexts_asan
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
new file mode 100644
index 000000000..a733cabd9
--- /dev/null
+++ b/private/fingerprintd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fingerprintd)
diff --git a/fs_use b/private/fs_use
similarity index 100%
rename from fs_use
rename to private/fs_use
diff --git a/private/fsck.te b/private/fsck.te
new file mode 100644
index 000000000..f3f4c52d2
--- /dev/null
+++ b/private/fsck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fsck)
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
new file mode 100644
index 000000000..d050c2edf
--- /dev/null
+++ b/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(gatekeeperd)
diff --git a/genfs_contexts b/private/genfs_contexts
similarity index 100%
rename from genfs_contexts
rename to private/genfs_contexts
diff --git a/private/hci_attach.te b/private/hci_attach.te
new file mode 100644
index 000000000..c8ba3f6b0
--- /dev/null
+++ b/private/hci_attach.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hci_attach)
\ No newline at end of file
diff --git a/private/hostapd.te b/private/hostapd.te
new file mode 100644
index 000000000..d895f2916
--- /dev/null
+++ b/private/hostapd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hostapd)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
new file mode 100644
index 000000000..e15d13db0
--- /dev/null
+++ b/private/hwservicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hwservicemanager)
diff --git a/private/init.te b/private/init.te
new file mode 100644
index 000000000..c2354548b
--- /dev/null
+++ b/private/init.te
@@ -0,0 +1,18 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+recovery_only(`
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logd)
+')
diff --git a/initial_sid_contexts b/private/initial_sid_contexts
similarity index 100%
rename from initial_sid_contexts
rename to private/initial_sid_contexts
diff --git a/initial_sids b/private/initial_sids
similarity index 100%
rename from initial_sids
rename to private/initial_sids
diff --git a/private/inputflinger.te b/private/inputflinger.te
new file mode 100644
index 000000000..0d3782f40
--- /dev/null
+++ b/private/inputflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(inputflinger)
\ No newline at end of file
diff --git a/private/install_recovery.te b/private/install_recovery.te
new file mode 100644
index 000000000..b9b402b56
--- /dev/null
+++ b/private/install_recovery.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
new file mode 100644
index 000000000..50b3821b8
--- /dev/null
+++ b/private/installd.te
@@ -0,0 +1,12 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
diff --git a/private/kernel.te b/private/kernel.te
new file mode 100644
index 000000000..1c2223e57
--- /dev/null
+++ b/private/kernel.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(kernel, init_exec, init)
diff --git a/keys.conf b/private/keys.conf
similarity index 100%
rename from keys.conf
rename to private/keys.conf
diff --git a/private/keystore.te b/private/keystore.te
new file mode 100644
index 000000000..70ad3b24d
--- /dev/null
+++ b/private/keystore.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
new file mode 100644
index 000000000..a5d0d7756
--- /dev/null
+++ b/private/lmkd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
new file mode 100644
index 000000000..52600ac51
--- /dev/null
+++ b/private/logd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(logd)
diff --git a/mac_permissions.xml b/private/mac_permissions.xml
similarity index 100%
rename from mac_permissions.xml
rename to private/mac_permissions.xml
diff --git a/private/mdnsd.te b/private/mdnsd.te
new file mode 100644
index 000000000..54659d1d1
--- /dev/null
+++ b/private/mdnsd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mdnsd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
new file mode 100644
index 000000000..7f88433a1
--- /dev/null
+++ b/private/mediacodec.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
new file mode 100644
index 000000000..5a8e7446c
--- /dev/null
+++ b/private/mediadrmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
new file mode 100644
index 000000000..8596c1440
--- /dev/null
+++ b/private/mediaextractor.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaextractor)
diff --git a/private/mediaserver.te b/private/mediaserver.te
new file mode 100644
index 000000000..74b11b07b
--- /dev/null
+++ b/private/mediaserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaserver)
diff --git a/mls b/private/mls
similarity index 100%
rename from mls
rename to private/mls
diff --git a/mls_macros b/private/mls_macros
similarity index 100%
rename from mls_macros
rename to private/mls_macros
diff --git a/private/mtp.te b/private/mtp.te
new file mode 100644
index 000000000..69e1353b0
--- /dev/null
+++ b/private/mtp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
new file mode 100644
index 000000000..cc87dcbb4
--- /dev/null
+++ b/private/netd.te
@@ -0,0 +1,9 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
new file mode 100644
index 000000000..8e54a790f
--- /dev/null
+++ b/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
new file mode 100644
index 000000000..519c34274
--- /dev/null
+++ b/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/perfprofd.te b/private/perfprofd.te
similarity index 100%
rename from perfprofd.te
rename to private/perfprofd.te
diff --git a/policy_capabilities b/private/policy_capabilities
similarity index 100%
rename from policy_capabilities
rename to private/policy_capabilities
diff --git a/port_contexts b/private/port_contexts
similarity index 100%
rename from port_contexts
rename to private/port_contexts
diff --git a/private/postinstall.te b/private/postinstall.te
new file mode 100644
index 000000000..47bf320f3
--- /dev/null
+++ b/private/postinstall.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
new file mode 100644
index 000000000..7596465aa
--- /dev/null
+++ b/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
new file mode 100644
index 000000000..befc20e5e
--- /dev/null
+++ b/private/ppp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/property_contexts b/private/property_contexts
similarity index 100%
rename from property_contexts
rename to private/property_contexts
diff --git a/private/racoon.te b/private/racoon.te
new file mode 100644
index 000000000..3eeb8151a
--- /dev/null
+++ b/private/racoon.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(racoon)
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
new file mode 100644
index 000000000..3b7462934
--- /dev/null
+++ b/private/recovery_persist.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_persist)
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
new file mode 100644
index 000000000..8204465d2
--- /dev/null
+++ b/private/recovery_refresh.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_refresh)
diff --git a/private/rild.te b/private/rild.te
new file mode 100644
index 000000000..ac6a05d36
--- /dev/null
+++ b/private/rild.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(rild)
diff --git a/roles b/private/roles
similarity index 100%
rename from roles
rename to private/roles
diff --git a/private/runas.te b/private/runas.te
new file mode 100644
index 000000000..d791501b3
--- /dev/null
+++ b/private/runas.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
new file mode 100644
index 000000000..55915fed7
--- /dev/null
+++ b/private/sdcardd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/seapp_contexts b/private/seapp_contexts
similarity index 100%
rename from seapp_contexts
rename to private/seapp_contexts
diff --git a/security_classes b/private/security_classes
similarity index 100%
rename from security_classes
rename to private/security_classes
diff --git a/service_contexts b/private/service_contexts
similarity index 100%
rename from service_contexts
rename to private/service_contexts
diff --git a/private/servicemanager.te b/private/servicemanager.te
new file mode 100644
index 000000000..1514b0f37
--- /dev/null
+++ b/private/servicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(servicemanager)
diff --git a/su.te b/private/su.te
similarity index 100%
rename from su.te
rename to private/su.te
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
new file mode 100644
index 000000000..ae8ab08e4
--- /dev/null
+++ b/private/surfaceflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
new file mode 100644
index 000000000..bab3d725f
--- /dev/null
+++ b/private/system_server.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+# Create a socket for connections from debuggerd.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/private/tee.te b/private/tee.te
new file mode 100644
index 000000000..17b276fdd
--- /dev/null
+++ b/private/tee.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tee)
diff --git a/private/toolbox.te b/private/toolbox.te
new file mode 100644
index 000000000..fd43d5ee6
--- /dev/null
+++ b/private/toolbox.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
new file mode 100644
index 000000000..ee67bb2e5
--- /dev/null
+++ b/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
new file mode 100644
index 000000000..5034db7f9
--- /dev/null
+++ b/private/ueventd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
new file mode 100644
index 000000000..e2b919c74
--- /dev/null
+++ b/private/uncrypt.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
new file mode 100644
index 000000000..01199ebb2
--- /dev/null
+++ b/private/update_engine.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_engine);
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
new file mode 100644
index 000000000..a7fb58471
--- /dev/null
+++ b/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/private/update_verifier.te b/private/update_verifier.te
new file mode 100644
index 000000000..c5f110b6c
--- /dev/null
+++ b/private/update_verifier.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_verifier)
diff --git a/users b/private/users
similarity index 100%
rename from users
rename to private/users
diff --git a/private/vdc.te b/private/vdc.te
new file mode 100644
index 000000000..877e91331
--- /dev/null
+++ b/private/vdc.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vdc)
diff --git a/private/vold.te b/private/vold.te
new file mode 100644
index 000000000..b2495f688
--- /dev/null
+++ b/private/vold.te
@@ -0,0 +1,19 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/private/wifi_hal_legacy.te b/private/wifi_hal_legacy.te
new file mode 100644
index 000000000..cb2c6dab5
--- /dev/null
+++ b/private/wifi_hal_legacy.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wifi_hal_legacy)
diff --git a/private/wificond.te b/private/wificond.te
new file mode 100644
index 000000000..2e89975d0
--- /dev/null
+++ b/private/wificond.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wificond)
diff --git a/private/wpa.te b/private/wpa.te
new file mode 100644
index 000000000..4bf29cfb5
--- /dev/null
+++ b/private/wpa.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wpa)
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
diff --git a/private/zygote.te b/private/zygote.te
new file mode 100644
index 000000000..bab15c7a8
--- /dev/null
+++ b/private/zygote.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(zygote)
diff --git a/adbd.te b/public/adbd.te
similarity index 98%
rename from adbd.te
rename to public/adbd.te
index 45bed8e59..450bc1da3 100644
--- a/adbd.te
+++ b/public/adbd.te
@@ -7,8 +7,6 @@ userdebug_or_eng(`
allow adbd su:process dyntransition;
')
-domain_auto_trans(adbd, shell_exec, shell)
-
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
diff --git a/android_hardware_nfc_1_0_service.te b/public/android_hardware_nfc_1_0_service.te
similarity index 89%
rename from android_hardware_nfc_1_0_service.te
rename to public/android_hardware_nfc_1_0_service.te
index f980da43b..79da53b78 100644
--- a/android_hardware_nfc_1_0_service.te
+++ b/public/android_hardware_nfc_1_0_service.te
@@ -2,9 +2,6 @@
type android_hardware_nfc_1_0_service, domain;
type android_hardware_nfc_1_0_service_exec, exec_type, file_type;
-# may be started by init
-init_daemon_domain(android_hardware_nfc_1_0_service)
-
# hwbinder access
hwbinder_use(android_hardware_nfc_1_0_service)
diff --git a/app.te b/public/app.te
similarity index 100%
rename from app.te
rename to public/app.te
diff --git a/attributes b/public/attributes
similarity index 100%
rename from attributes
rename to public/attributes
diff --git a/audioserver.te b/public/audioserver.te
similarity index 98%
rename from audioserver.te
rename to public/audioserver.te
index da12649e3..dab4ea54c 100644
--- a/audioserver.te
+++ b/public/audioserver.te
@@ -2,8 +2,6 @@
type audioserver, domain;
type audioserver_exec, exec_type, file_type;
-init_daemon_domain(audioserver)
-
r_dir_file(audioserver, sdcard_type)
binder_use(audioserver)
diff --git a/autoplay_app.te b/public/autoplay_app.te
similarity index 96%
rename from autoplay_app.te
rename to public/autoplay_app.te
index f671d5d37..5fe1000be 100644
--- a/autoplay_app.te
+++ b/public/autoplay_app.te
@@ -16,9 +16,6 @@ type autoplay_app, domain;
allow autoplay_app self:process execmem;
allow autoplay_app ashmem_device:chr_file execute;
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(autoplay_app)
# Map with PROT_EXEC.
allow autoplay_app autoplay_app_tmpfs:file execute;
diff --git a/binderservicedomain.te b/public/binderservicedomain.te
similarity index 100%
rename from binderservicedomain.te
rename to public/binderservicedomain.te
diff --git a/blkid.te b/public/blkid.te
similarity index 100%
rename from blkid.te
rename to public/blkid.te
diff --git a/blkid_untrusted.te b/public/blkid_untrusted.te
similarity index 100%
rename from blkid_untrusted.te
rename to public/blkid_untrusted.te
diff --git a/bluetooth.te b/public/bluetooth.te
similarity index 97%
rename from bluetooth.te
rename to public/bluetooth.te
index d8448a6d9..332d2ab3c 100644
--- a/bluetooth.te
+++ b/public/bluetooth.te
@@ -14,7 +14,6 @@ allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
allow bluetooth bluetooth_socket:sock_file create_file_perms;
# bluetooth factory file accesses.
diff --git a/bluetoothdomain.te b/public/bluetoothdomain.te
similarity index 100%
rename from bluetoothdomain.te
rename to public/bluetoothdomain.te
diff --git a/boot_control_hal.te b/public/boot_control_hal.te
similarity index 100%
rename from boot_control_hal.te
rename to public/boot_control_hal.te
diff --git a/bootanim.te b/public/bootanim.te
similarity index 96%
rename from bootanim.te
rename to public/bootanim.te
index e18654c2c..abbcacac7 100644
--- a/bootanim.te
+++ b/public/bootanim.te
@@ -2,8 +2,6 @@
type bootanim, domain;
type bootanim_exec, exec_type, file_type;
-init_daemon_domain(bootanim)
-
binder_use(bootanim)
binder_call(bootanim, surfaceflinger)
binder_call(bootanim, audioserver)
diff --git a/bootstat.te b/public/bootstat.te
similarity index 91%
rename from bootstat.te
rename to public/bootstat.te
index 44a8c91b8..82d730ccb 100644
--- a/bootstat.te
+++ b/public/bootstat.te
@@ -2,8 +2,6 @@
type bootstat, domain;
type bootstat_exec, exec_type, file_type;
-init_daemon_domain(bootstat)
-
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
diff --git a/cameraserver.te b/public/cameraserver.te
similarity index 97%
rename from cameraserver.te
rename to public/cameraserver.te
index c12b1a2f8..b12d17cc4 100644
--- a/cameraserver.te
+++ b/public/cameraserver.te
@@ -2,8 +2,6 @@
type cameraserver, domain;
type cameraserver_exec, exec_type, file_type;
-init_daemon_domain(cameraserver)
-
binder_use(cameraserver)
binder_call(cameraserver, binderservicedomain)
binder_call(cameraserver, appdomain)
diff --git a/clatd.te b/public/clatd.te
similarity index 100%
rename from clatd.te
rename to public/clatd.te
diff --git a/cppreopts.te b/public/cppreopts.te
similarity index 80%
rename from cppreopts.te
rename to public/cppreopts.te
index 66df7eea4..8cbf80187 100644
--- a/cppreopts.te
+++ b/public/cppreopts.te
@@ -7,12 +7,6 @@
type cppreopts, domain, mlstrustedsubject;
type cppreopts_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
diff --git a/debuggerd.te b/public/debuggerd.te
similarity index 98%
rename from debuggerd.te
rename to public/debuggerd.te
index 80d3f5c6c..da1314a04 100644
--- a/debuggerd.te
+++ b/public/debuggerd.te
@@ -2,7 +2,6 @@
type debuggerd, domain, domain_deprecated;
type debuggerd_exec, exec_type, file_type;
-init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
allow debuggerd self:capability2 { syslog };
diff --git a/device.te b/public/device.te
similarity index 100%
rename from device.te
rename to public/device.te
diff --git a/dex2oat.te b/public/dex2oat.te
similarity index 100%
rename from dex2oat.te
rename to public/dex2oat.te
diff --git a/dhcp.te b/public/dhcp.te
similarity index 92%
rename from dhcp.te
rename to public/dhcp.te
index a051b192d..6b9fb4ad1 100644
--- a/dhcp.te
+++ b/public/dhcp.te
@@ -2,7 +2,6 @@ type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
-init_daemon_domain(dhcp)
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
@@ -21,7 +20,6 @@ allow dhcp proc_net:file write;
set_prop(dhcp, dhcp_prop)
set_prop(dhcp, pan_result_prop)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/dnsmasq.te b/public/dnsmasq.te
similarity index 100%
rename from dnsmasq.te
rename to public/dnsmasq.te
diff --git a/domain.te b/public/domain.te
similarity index 100%
rename from domain.te
rename to public/domain.te
diff --git a/domain_deprecated.te b/public/domain_deprecated.te
similarity index 100%
rename from domain_deprecated.te
rename to public/domain_deprecated.te
diff --git a/drmserver.te b/public/drmserver.te
similarity index 98%
rename from drmserver.te
rename to public/drmserver.te
index d0adf4615..66cc432bd 100644
--- a/drmserver.te
+++ b/public/drmserver.te
@@ -2,7 +2,6 @@
type drmserver, domain;
type drmserver_exec, exec_type, file_type;
-init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;
net_domain(drmserver)
diff --git a/dumpstate.te b/public/dumpstate.te
similarity index 98%
rename from dumpstate.te
rename to public/dumpstate.te
index 9f3370e39..17764c30e 100644
--- a/dumpstate.te
+++ b/public/dumpstate.te
@@ -2,7 +2,6 @@
type dumpstate, domain, domain_deprecated, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
-init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
@@ -80,9 +79,6 @@ allow dumpstate {
surfaceflinger
}:debuggerd dump_backtrace;
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
# Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable
# TODO: create a new file class, instead of allowing write access to all of /sys
diff --git a/file.te b/public/file.te
similarity index 100%
rename from file.te
rename to public/file.te
diff --git a/fingerprintd.te b/public/fingerprintd.te
similarity index 94%
rename from fingerprintd.te
rename to public/fingerprintd.te
index 09d39b187..b541e34ef 100644
--- a/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,8 +1,6 @@
type fingerprintd, domain, domain_deprecated;
type fingerprintd_exec, exec_type, file_type;
-# fingerprintd
-init_daemon_domain(fingerprintd)
binder_use(fingerprintd)
# need to find KeyStore and add self
diff --git a/fsck.te b/public/fsck.te
similarity index 98%
rename from fsck.te
rename to public/fsck.te
index 9f372ce25..bdbbd3335 100644
--- a/fsck.te
+++ b/public/fsck.te
@@ -2,8 +2,6 @@
type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
-init_daemon_domain(fsck)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
diff --git a/fsck_untrusted.te b/public/fsck_untrusted.te
similarity index 100%
rename from fsck_untrusted.te
rename to public/fsck_untrusted.te
diff --git a/gatekeeperd.te b/public/gatekeeperd.te
similarity index 97%
rename from gatekeeperd.te
rename to public/gatekeeperd.te
index bc4fe81b4..13d2db729 100644
--- a/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -2,7 +2,6 @@ type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
-init_daemon_domain(gatekeeperd)
binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
diff --git a/global_macros b/public/global_macros
similarity index 100%
rename from global_macros
rename to public/global_macros
diff --git a/hci_attach.te b/public/hci_attach.te
similarity index 90%
rename from hci_attach.te
rename to public/hci_attach.te
index 543cae1a0..04b6113e1 100644
--- a/hci_attach.te
+++ b/public/hci_attach.te
@@ -1,8 +1,6 @@
type hci_attach, domain, domain_deprecated;
type hci_attach_exec, exec_type, file_type;
-init_daemon_domain(hci_attach)
-
allow hci_attach kernel:system module_request;
allow hci_attach hci_attach_dev:chr_file rw_file_perms;
allow hci_attach bluetooth_efs_file:dir r_dir_perms;
diff --git a/healthd.te b/public/healthd.te
similarity index 100%
rename from healthd.te
rename to public/healthd.te
diff --git a/hostapd.te b/public/hostapd.te
similarity index 97%
rename from hostapd.te
rename to public/hostapd.te
index 62f9cc726..b40bdc84a 100644
--- a/hostapd.te
+++ b/public/hostapd.te
@@ -2,7 +2,7 @@
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
-init_daemon_domain(hostapd)
+
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
diff --git a/hwservicemanager.te b/public/hwservicemanager.te
similarity index 95%
rename from hwservicemanager.te
rename to public/hwservicemanager.te
index 649e2b8f6..cbb47e525 100644
--- a/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,8 +2,6 @@
type hwservicemanager, domain, mlstrustedsubject;
type hwservicemanager_exec, exec_type, file_type;
-init_daemon_domain(hwservicemanager)
-
# Note that we do not use the binder_* macros here.
# hwservicemanager only provides name service (aka context manager)
# for Binder.
diff --git a/idmap.te b/public/idmap.te
similarity index 100%
rename from idmap.te
rename to public/idmap.te
diff --git a/init.te b/public/init.te
similarity index 96%
rename from init.te
rename to public/init.te
index 1512d0b4c..16bafc31d 100644
--- a/init.te
+++ b/public/init.te
@@ -1,6 +1,5 @@
# init is its own domain.
type init, domain, domain_deprecated, mlstrustedsubject;
-tmpfs_domain(init)
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
@@ -224,21 +223,6 @@ allow init sysfs_type:dir r_dir_perms;
allow init sysfs_type:lnk_file read;
allow init sysfs_type:file rw_file_perms;
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
- domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
- domain_auto_trans(init, logcat_exec, logd)
-')
-
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { open create read getattr setattr search };
diff --git a/inputflinger.te b/public/inputflinger.te
similarity index 93%
rename from inputflinger.te
rename to public/inputflinger.te
index b6a5f0b21..bee392fac 100644
--- a/inputflinger.te
+++ b/public/inputflinger.te
@@ -2,7 +2,6 @@
type inputflinger, domain, domain_deprecated;
type inputflinger_exec, exec_type, file_type;
-init_daemon_domain(inputflinger)
binder_use(inputflinger)
binder_service(inputflinger)
diff --git a/install_recovery.te b/public/install_recovery.te
similarity index 96%
rename from install_recovery.te
rename to public/install_recovery.te
index b11ff7497..132b03da8 100644
--- a/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,8 +2,6 @@
type install_recovery, domain, domain_deprecated;
type install_recovery_exec, exec_type, file_type;
-init_daemon_domain(install_recovery)
-
allow install_recovery self:capability dac_override;
# /system/bin/install-recovery.sh is a shell script.
diff --git a/installd.te b/public/installd.te
similarity index 94%
rename from installd.te
rename to public/installd.te
index 317ae7cea..ead36c17e 100644
--- a/installd.te
+++ b/public/installd.te
@@ -1,8 +1,6 @@
# installer daemon
type installd, domain, domain_deprecated;
type installd_exec, exec_type, file_type;
-
-init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
@@ -64,15 +62,6 @@ allow installd dalvikcache_data_file:file create_file_perms;
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/ioctl_defines b/public/ioctl_defines
similarity index 100%
rename from ioctl_defines
rename to public/ioctl_defines
diff --git a/ioctl_macros b/public/ioctl_macros
similarity index 100%
rename from ioctl_macros
rename to public/ioctl_macros
diff --git a/isolated_app.te b/public/isolated_app.te
similarity index 100%
rename from isolated_app.te
rename to public/isolated_app.te
diff --git a/kernel.te b/public/kernel.te
similarity index 98%
rename from kernel.te
rename to public/kernel.te
index 3608a1020..556904c1f 100644
--- a/kernel.te
+++ b/public/kernel.te
@@ -67,8 +67,6 @@ userdebug_or_eng(`
allow kernel nativetest_data_file:file read;
')
-domain_auto_trans(kernel, init_exec, init)
-
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
diff --git a/keystore.te b/public/keystore.te
similarity index 97%
rename from keystore.te
rename to public/keystore.te
index 3d7bd9210..42150176a 100644
--- a/keystore.te
+++ b/public/keystore.te
@@ -2,7 +2,6 @@ type keystore, domain, domain_deprecated;
type keystore_exec, exec_type, file_type;
# keystore daemon
-init_daemon_domain(keystore)
typeattribute keystore mlstrustedsubject;
binder_use(keystore)
binder_service(keystore)
diff --git a/lmkd.te b/public/lmkd.te
similarity index 97%
rename from lmkd.te
rename to public/lmkd.te
index 5302bcd56..316036f03 100644
--- a/lmkd.te
+++ b/public/lmkd.te
@@ -2,8 +2,6 @@
type lmkd, domain, domain_deprecated, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-init_daemon_domain(lmkd)
-
allow lmkd self:capability { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
diff --git a/logd.te b/public/logd.te
similarity index 98%
rename from logd.te
rename to public/logd.te
index c9072f381..1171ebf26 100644
--- a/logd.te
+++ b/public/logd.te
@@ -2,8 +2,6 @@
type logd, domain, mlstrustedsubject;
type logd_exec, exec_type, file_type;
-init_daemon_domain(logd)
-
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, proc)
diff --git a/mdnsd.te b/public/mdnsd.te
similarity index 86%
rename from mdnsd.te
rename to public/mdnsd.te
index a9dc7c565..c32b433c9 100644
--- a/mdnsd.te
+++ b/public/mdnsd.te
@@ -2,7 +2,6 @@
type mdnsd, domain, mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
-init_daemon_domain(mdnsd)
net_domain(mdnsd)
# Read from /proc/net
diff --git a/mediacodec.te b/public/mediacodec.te
similarity index 96%
rename from mediacodec.te
rename to public/mediacodec.te
index 3d3625ab7..0b562c12e 100644
--- a/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,8 +4,6 @@ type mediacodec_exec, exec_type, file_type;
typeattribute mediacodec mlstrustedsubject;
-init_daemon_domain(mediacodec)
-
binder_use(mediacodec)
binder_call(mediacodec, binderservicedomain)
binder_call(mediacodec, appdomain)
diff --git a/mediadrmserver.te b/public/mediadrmserver.te
similarity index 98%
rename from mediadrmserver.te
rename to public/mediadrmserver.te
index d9368ad37..db8e082f3 100644
--- a/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -5,8 +5,6 @@ type mediadrmserver_exec, exec_type, file_type;
typeattribute mediadrmserver mlstrustedsubject;
net_domain(mediadrmserver)
-init_daemon_domain(mediadrmserver)
-
binder_use(mediadrmserver)
binder_call(mediadrmserver, binderservicedomain)
binder_call(mediadrmserver, appdomain)
diff --git a/mediaextractor.te b/public/mediaextractor.te
similarity index 95%
rename from mediaextractor.te
rename to public/mediaextractor.te
index fe874479d..ec0ce31a7 100644
--- a/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -4,8 +4,6 @@ type mediaextractor_exec, exec_type, file_type;
typeattribute mediaextractor mlstrustedsubject;
-init_daemon_domain(mediaextractor)
-
binder_use(mediaextractor)
binder_call(mediaextractor, binderservicedomain)
binder_call(mediaextractor, appdomain)
diff --git a/mediaserver.te b/public/mediaserver.te
similarity index 99%
rename from mediaserver.te
rename to public/mediaserver.te
index e55c778e9..9e062b809 100644
--- a/mediaserver.te
+++ b/public/mediaserver.te
@@ -5,7 +5,6 @@ type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
net_domain(mediaserver)
-init_daemon_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
diff --git a/mtp.te b/public/mtp.te
similarity index 92%
rename from mtp.te
rename to public/mtp.te
index 02d4b5633..0ca7cea35 100644
--- a/mtp.te
+++ b/public/mtp.te
@@ -2,7 +2,6 @@
type mtp, domain, domain_deprecated;
type mtp_exec, exec_type, file_type;
-init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
diff --git a/net.te b/public/net.te
similarity index 100%
rename from net.te
rename to public/net.te
diff --git a/netd.te b/public/netd.te
similarity index 97%
rename from netd.te
rename to public/netd.te
index f01022aab..dc4a1b3ee 100644
--- a/netd.te
+++ b/public/netd.te
@@ -2,7 +2,6 @@
type netd, domain, domain_deprecated, mlstrustedsubject;
type netd_exec, exec_type, file_type;
-init_daemon_domain(netd)
net_domain(netd)
# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
@@ -52,11 +51,9 @@ allow netd net_data_file:dir rw_dir_perms;
allow netd self:capability fowner;
# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd dnsmasq:process signal;
# Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
set_prop(netd, ctl_mdnsd_prop)
diff --git a/neverallow_macros b/public/neverallow_macros
similarity index 100%
rename from neverallow_macros
rename to public/neverallow_macros
diff --git a/nfc.te b/public/nfc.te
similarity index 100%
rename from nfc.te
rename to public/nfc.te
diff --git a/otapreopt_chroot.te b/public/otapreopt_chroot.te
similarity index 84%
rename from otapreopt_chroot.te
rename to public/otapreopt_chroot.te
index 1c5f2eed0..c071f447f 100644
--- a/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -13,9 +13,6 @@ allow otapreopt_chroot labeledfs:filesystem mount;
# Mounting /vendor can have this side-effect. Ignore denial.
dontaudit otapreopt_chroot kernel:process setsched;
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-
# Allow otapreopt to use file descriptors from update-engine. It will
# close them immediately.
allow otapreopt_chroot postinstall:fd use;
diff --git a/otapreopt_slot.te b/public/otapreopt_slot.te
similarity index 89%
rename from otapreopt_slot.te
rename to public/otapreopt_slot.te
index 2f4da0a12..5745ba786 100644
--- a/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -6,9 +6,6 @@
type otapreopt_slot, domain, mlstrustedsubject;
type otapreopt_slot_exec, exec_type, file_type;
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
# the directory afterwards. For logging of aggregate size, we need getattr.
diff --git a/platform_app.te b/public/platform_app.te
similarity index 100%
rename from platform_app.te
rename to public/platform_app.te
diff --git a/postinstall.te b/public/postinstall.te
similarity index 95%
rename from postinstall.te
rename to public/postinstall.te
index 0f6bb749b..7fd4dc611 100644
--- a/postinstall.te
+++ b/public/postinstall.te
@@ -30,8 +30,6 @@ binder_call(postinstall, system_server)
# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
diff --git a/postinstall_dexopt.te b/public/postinstall_dexopt.te
similarity index 91%
rename from postinstall_dexopt.te
rename to public/postinstall_dexopt.te
index e0cc25720..5fdc51031 100644
--- a/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,6 @@
type postinstall_dexopt, domain;
-# init_daemon_domain(otapreopt)
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -43,9 +42,6 @@ allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
diff --git a/ppp.te b/public/ppp.te
similarity index 92%
rename from ppp.te
rename to public/ppp.te
index 3fb6f2b06..5708822ee 100644
--- a/ppp.te
+++ b/public/ppp.te
@@ -2,7 +2,6 @@
type ppp, domain, domain_deprecated;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
-domain_auto_trans(mtp, ppp_exec, ppp)
net_domain(ppp)
diff --git a/preopt2cachename.te b/public/preopt2cachename.te
similarity index 100%
rename from preopt2cachename.te
rename to public/preopt2cachename.te
diff --git a/priv_app.te b/public/priv_app.te
similarity index 100%
rename from priv_app.te
rename to public/priv_app.te
diff --git a/profman.te b/public/profman.te
similarity index 100%
rename from profman.te
rename to public/profman.te
diff --git a/property.te b/public/property.te
similarity index 100%
rename from property.te
rename to public/property.te
diff --git a/racoon.te b/public/racoon.te
similarity index 97%
rename from racoon.te
rename to public/racoon.te
index c3666bd85..c99740fee 100644
--- a/racoon.te
+++ b/public/racoon.te
@@ -2,7 +2,6 @@
type racoon, domain, domain_deprecated;
type racoon_exec, exec_type, file_type;
-init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
net_domain(racoon)
diff --git a/radio.te b/public/radio.te
similarity index 100%
rename from radio.te
rename to public/radio.te
diff --git a/recovery.te b/public/recovery.te
similarity index 100%
rename from recovery.te
rename to public/recovery.te
diff --git a/recovery_persist.te b/public/recovery_persist.te
similarity index 96%
rename from recovery_persist.te
rename to public/recovery_persist.te
index 19a240f89..1abcc7c65 100644
--- a/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -2,8 +2,6 @@
type recovery_persist, domain;
type recovery_persist_exec, exec_type, file_type;
-init_daemon_domain(recovery_persist)
-
allow recovery_persist pstorefs:dir search;
allow recovery_persist pstorefs:file r_file_perms;
diff --git a/recovery_refresh.te b/public/recovery_refresh.te
similarity index 96%
rename from recovery_refresh.te
rename to public/recovery_refresh.te
index 9fae1104c..5707e7b28 100644
--- a/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -2,8 +2,6 @@
type recovery_refresh, domain;
type recovery_refresh_exec, exec_type, file_type;
-init_daemon_domain(recovery_refresh)
-
allow recovery_refresh pstorefs:dir search;
allow recovery_refresh pstorefs:file r_file_perms;
# NB: domain inherits write_logd which hands us write to pmsg_device
diff --git a/rild.te b/public/rild.te
similarity index 98%
rename from rild.te
rename to public/rild.te
index 0d834e19b..85aa04415 100644
--- a/rild.te
+++ b/public/rild.te
@@ -2,7 +2,6 @@
type rild, domain, domain_deprecated;
type rild_exec, exec_type, file_type;
-init_daemon_domain(rild)
net_domain(rild)
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
diff --git a/runas.te b/public/runas.te
similarity index 92%
rename from runas.te
rename to public/runas.te
index 58a1bdc1b..21bd8805f 100644
--- a/runas.te
+++ b/public/runas.te
@@ -1,8 +1,6 @@
type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
diff --git a/sdcardd.te b/public/sdcardd.te
similarity index 94%
rename from sdcardd.te
rename to public/sdcardd.te
index 846c59b58..52037e6a6 100644
--- a/sdcardd.te
+++ b/public/sdcardd.te
@@ -14,7 +14,6 @@ allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resourc
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/service.te b/public/service.te
similarity index 100%
rename from service.te
rename to public/service.te
diff --git a/servicemanager.te b/public/servicemanager.te
similarity index 94%
rename from servicemanager.te
rename to public/servicemanager.te
index 4f07a5594..469c6375c 100644
--- a/servicemanager.te
+++ b/public/servicemanager.te
@@ -2,8 +2,6 @@
type servicemanager, domain, domain_deprecated, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
-init_daemon_domain(servicemanager)
-
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
diff --git a/sgdisk.te b/public/sgdisk.te
similarity index 100%
rename from sgdisk.te
rename to public/sgdisk.te
diff --git a/shared_relro.te b/public/shared_relro.te
similarity index 100%
rename from shared_relro.te
rename to public/shared_relro.te
diff --git a/shell.te b/public/shell.te
similarity index 100%
rename from shell.te
rename to public/shell.te
diff --git a/slideshow.te b/public/slideshow.te
similarity index 100%
rename from slideshow.te
rename to public/slideshow.te
diff --git a/surfaceflinger.te b/public/surfaceflinger.te
similarity index 98%
rename from surfaceflinger.te
rename to public/surfaceflinger.te
index d02fc9349..5175f83f8 100644
--- a/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -2,7 +2,6 @@
type surfaceflinger, domain, domain_deprecated;
type surfaceflinger_exec, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
# Perform Binder IPC.
diff --git a/system_app.te b/public/system_app.te
similarity index 100%
rename from system_app.te
rename to public/system_app.te
diff --git a/system_server.te b/public/system_server.te
similarity index 99%
rename from system_server.te
rename to public/system_server.te
index b9fe97b71..c243bc64c 100644
--- a/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
#
type system_server, domain, domain_deprecated, mlstrustedsubject;
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -369,7 +366,6 @@ allow system_server system_wpa_socket:sock_file create_file_perms;
allow system_server wpa_socket:sock_file unlink;
# Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server system_ndebug_socket:sock_file create_file_perms;
# Manage cache files.
diff --git a/te_macros b/public/te_macros
similarity index 100%
rename from te_macros
rename to public/te_macros
diff --git a/tee.te b/public/tee.te
similarity index 96%
rename from tee.te
rename to public/tee.te
index 3d4cc2fba..a95be8834 100644
--- a/tee.te
+++ b/public/tee.te
@@ -6,7 +6,6 @@ type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
-init_daemon_domain(tee)
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
diff --git a/toolbox.te b/public/toolbox.te
similarity index 97%
rename from toolbox.te
rename to public/toolbox.te
index 7767079dc..59c3a9c73 100644
--- a/toolbox.te
+++ b/public/toolbox.te
@@ -4,8 +4,6 @@
type toolbox, domain;
type toolbox_exec, exec_type, file_type;
-init_daemon_domain(toolbox)
-
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };
diff --git a/tzdatacheck.te b/public/tzdatacheck.te
similarity index 87%
rename from tzdatacheck.te
rename to public/tzdatacheck.te
index f61cb4716..37daa7516 100644
--- a/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -2,7 +2,5 @@
type tzdatacheck, domain, domain_deprecated;
type tzdatacheck_exec, exec_type, file_type;
-init_daemon_domain(tzdatacheck)
-
allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/ueventd.te b/public/ueventd.te
similarity index 99%
rename from ueventd.te
rename to public/ueventd.te
index d4880fad1..46787c4de 100644
--- a/ueventd.te
+++ b/public/ueventd.te
@@ -1,7 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain, domain_deprecated;
-tmpfs_domain(ueventd)
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/uncrypt.te b/public/uncrypt.te
similarity index 97%
rename from uncrypt.te
rename to public/uncrypt.te
index 308e0f629..ef1289c32 100644
--- a/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,8 +2,6 @@
type uncrypt, domain, domain_deprecated, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-init_daemon_domain(uncrypt)
-
allow uncrypt self:capability dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
diff --git a/untrusted_app.te b/public/untrusted_app.te
similarity index 100%
rename from untrusted_app.te
rename to public/untrusted_app.te
diff --git a/update_engine.te b/public/update_engine.te
similarity index 97%
rename from update_engine.te
rename to public/update_engine.te
index fa3f05ccb..a3dee0db7 100644
--- a/update_engine.te
+++ b/public/update_engine.te
@@ -4,7 +4,6 @@ type update_engine, domain, domain_deprecated, update_engine_common, boot_contro
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
-init_daemon_domain(update_engine);
net_domain(update_engine);
# Following permissions are needed for update_engine.
diff --git a/update_engine_common.te b/public/update_engine_common.te
similarity index 87%
rename from update_engine_common.te
rename to public/update_engine_common.te
index e70e44db1..29581dde4 100644
--- a/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,9 +24,6 @@ allow update_engine_common postinstall_file:file rx_file_perms;
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.
diff --git a/update_verifier.te b/public/update_verifier.te
similarity index 93%
rename from update_verifier.te
rename to public/update_verifier.te
index 09d5fc4bc..731b6230a 100644
--- a/update_verifier.te
+++ b/public/update_verifier.te
@@ -3,8 +3,6 @@
type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type;
-init_daemon_domain(update_verifier)
-
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
diff --git a/vdc.te b/public/vdc.te
similarity index 96%
rename from vdc.te
rename to public/vdc.te
index d31be658e..394ac96aa 100644
--- a/vdc.te
+++ b/public/vdc.te
@@ -8,8 +8,6 @@
type vdc, domain, domain_deprecated;
type vdc_exec, exec_type, file_type;
-init_daemon_domain(vdc)
-
unix_socket_connect(vdc, vold, vold)
# vdc sends information back to dumpstate when "adb bugreport" is used
diff --git a/vold.te b/public/vold.te
similarity index 90%
rename from vold.te
rename to public/vold.te
index 6e0fa1648..afe55c071 100644
--- a/vold.te
+++ b/public/vold.te
@@ -2,12 +2,6 @@
type vold, domain, domain_deprecated;
type vold_exec, exec_type, file_type;
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
# Read already opened /cache files.
allow vold cache_file:dir r_dir_perms;
allow vold cache_file:file { getattr read };
@@ -25,13 +19,6 @@ allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
allow vold proc_meminfo:file r_file_perms;
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
@@ -58,11 +45,6 @@ allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
allow vold sdcard_type:filesystem { mount unmount remount };
diff --git a/watchdogd.te b/public/watchdogd.te
similarity index 100%
rename from watchdogd.te
rename to public/watchdogd.te
diff --git a/wifi_hal_legacy.te b/public/wifi_hal_legacy.te
similarity index 91%
rename from wifi_hal_legacy.te
rename to public/wifi_hal_legacy.te
index a7fce5729..ccdd96ca2 100644
--- a/wifi_hal_legacy.te
+++ b/public/wifi_hal_legacy.te
@@ -2,9 +2,6 @@
type wifi_hal_legacy, domain;
type wifi_hal_legacy_exec, exec_type, file_type;
-# may be started by init
-init_daemon_domain(wifi_hal_legacy)
-
## hwbinder access
hwbinder_use(wifi_hal_legacy)
diff --git a/wificond.te b/public/wificond.te
similarity index 98%
rename from wificond.te
rename to public/wificond.te
index 673394a2c..82c10c131 100644
--- a/wificond.te
+++ b/public/wificond.te
@@ -2,8 +2,6 @@
type wificond, domain;
type wificond_exec, exec_type, file_type;
-init_daemon_domain(wificond)
-
binder_use(wificond)
binder_call(wificond, system_server)
binder_call(wificond, wpa)
diff --git a/wpa.te b/public/wpa.te
similarity index 95%
rename from wpa.te
rename to public/wpa.te
index dfb73dc2e..3cb042bda 100644
--- a/wpa.te
+++ b/public/wpa.te
@@ -2,8 +2,6 @@
type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
-init_daemon_domain(wpa)
-
net_domain(wpa)
# in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
@@ -29,7 +27,6 @@ binder_call(wpa, wificond)
allow wpa wpa_supplicant_service:service_manager { add find };
# Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms;
diff --git a/zygote.te b/public/zygote.te
similarity index 99%
rename from zygote.te
rename to public/zygote.te
index 9f210ed3a..94081ef56 100644
--- a/zygote.te
+++ b/public/zygote.te
@@ -2,7 +2,6 @@
type zygote, domain, domain_deprecated;
type zygote_exec, exec_type, file_type;
-init_daemon_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner chown };
--
GitLab