From d22987b4daf02a8dae5bb10119d9ec5ec9f637cf Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 3 Nov 2015 09:54:39 -0800
Subject: [PATCH] Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
---
adbd.te | 2 +-
atrace.te | 2 +-
attributes | 10 ++++++++++
blkid.te | 2 +-
blkid_untrusted.te | 2 +-
bluetooth.te | 2 +-
bootanim.te | 2 +-
clatd.te | 2 +-
debuggerd.te | 2 +-
dex2oat.te | 2 +-
dhcp.te | 2 +-
dnsmasq.te | 2 +-
domain_deprecated.te | 1 +
drmserver.te | 2 +-
dumpstate.te | 2 +-
fingerprintd.te | 2 +-
fsck.te | 2 +-
fsck_untrusted.te | 2 +-
gatekeeperd.te | 2 +-
gpsd.te | 2 +-
hci_attach.te | 2 +-
healthd.te | 2 +-
hostapd.te | 2 +-
idmap.te | 2 +-
init.te | 2 +-
inputflinger.te | 2 +-
install_recovery.te | 2 +-
installd.te | 2 +-
isolated_app.te | 2 +-
kernel.te | 2 +-
keystore.te | 2 +-
lmkd.te | 2 +-
logd.te | 2 +-
mdnsd.te | 2 +-
mediaserver.te | 2 +-
mtp.te | 2 +-
netd.te | 2 +-
nfc.te | 2 +-
perfprofd.te | 2 +-
platform_app.te | 2 +-
ppp.te | 2 +-
priv_app.te | 2 +-
racoon.te | 2 +-
radio.te | 2 +-
recovery.te | 2 +-
rild.te | 2 +-
runas.te | 2 +-
sdcardd.te | 2 +-
servicemanager.te | 2 +-
sgdisk.te | 2 +-
shared_relro.te | 2 +-
shell.te | 2 +-
slideshow.te | 2 +-
su.te | 2 +-
surfaceflinger.te | 2 +-
system_app.te | 2 +-
system_server.te | 2 +-
tee.te | 2 +-
toolbox.te | 2 +-
tzdatacheck.te | 2 +-
ueventd.te | 2 +-
uncrypt.te | 2 +-
untrusted_app.te | 2 +-
update_engine.te | 2 +-
vdc.te | 2 +-
vold.te | 2 +-
watchdogd.te | 2 +-
wpa.te | 2 +-
zygote.te | 2 +-
69 files changed, 78 insertions(+), 67 deletions(-)
create mode 100644 domain_deprecated.te
diff --git a/adbd.te b/adbd.te
index a35d570b8..1344fdb81 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,6 +1,6 @@
# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
+type adbd, domain, domain_deprecated, mlstrustedsubject;
userdebug_or_eng(`
allow adbd self:process setcurrent;
diff --git a/atrace.te b/atrace.te
index 61a5875e9..890a02641 100644
--- a/atrace.te
+++ b/atrace.te
@@ -3,7 +3,7 @@ type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
- type atrace, domain;
+ type atrace, domain, domain_deprecated;
init_daemon_domain(atrace)
# boottrace services uses /data/misc/boottrace/categories
diff --git a/attributes b/attributes
index e42edd615..56655c11b 100644
--- a/attributes
+++ b/attributes
@@ -8,6 +8,16 @@ attribute dev_type;
# All types used for processes.
attribute domain;
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
+
# All types used for filesystems.
attribute fs_type;
diff --git a/blkid.te b/blkid.te
index 15b6a85eb..23ce3a9da 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
# blkid called from vold
-type blkid, domain;
+type blkid, domain, domain_deprecated;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index df8e447f9..7e53de7ad 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain;
+type blkid_untrusted, domain, domain_deprecated;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/bluetooth.te b/bluetooth.te
index 4f240fba3..c05de059a 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,5 @@
# bluetooth subsystem
-type bluetooth, domain;
+type bluetooth, domain, domain_deprecated;
app_domain(bluetooth)
net_domain(bluetooth)
diff --git a/bootanim.te b/bootanim.te
index dd1e57a4d..9e04c04ca 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -1,5 +1,5 @@
# bootanimation oneshot service
-type bootanim, domain;
+type bootanim, domain, domain_deprecated;
type bootanim_exec, exec_type, file_type;
init_daemon_domain(bootanim)
diff --git a/clatd.te b/clatd.te
index 21c9ca9ed..3cda6a2a3 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,5 +1,5 @@
# 464xlat daemon
-type clatd, domain;
+type clatd, domain, domain_deprecated;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 4f84813be..0e3cf6805 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,5 @@
# debugger interface
-type debuggerd, domain;
+type debuggerd, domain, domain_deprecated;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
diff --git a/dex2oat.te b/dex2oat.te
index 0eb3881e9..83a7c8af5 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
diff --git a/dhcp.te b/dhcp.te
index 078e5125d..548a37c2d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain;
+type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
diff --git a/dnsmasq.te b/dnsmasq.te
index d802a3557..e5e4198c0 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,5 @@
# DNS, DHCP services
-type dnsmasq, domain;
+type dnsmasq, domain, domain_deprecated;
type dnsmasq_exec, exec_type, file_type;
net_domain(dnsmasq)
diff --git a/domain_deprecated.te b/domain_deprecated.te
new file mode 100644
index 000000000..1af20b847
--- /dev/null
+++ b/domain_deprecated.te
@@ -0,0 +1 @@
+# rules removed from the domain attribute
diff --git a/drmserver.te b/drmserver.te
index d76d3bebb..3b654cc4f 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,5 @@
# drmserver - DRM service
-type drmserver, domain;
+type drmserver, domain, domain_deprecated;
type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 963f8cde3..19eacfd05 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, mlstrustedsubject;
+type dumpstate, domain, domain_deprecated, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
init_daemon_domain(dumpstate)
diff --git a/fingerprintd.te b/fingerprintd.te
index 4ceb68dd3..1c0ab1c9e 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain;
+type fingerprintd, domain, domain_deprecated;
type fingerprintd_exec, exec_type, file_type;
# fingerprintd
diff --git a/fsck.te b/fsck.te
index 8c1aaf361..e90a49e9b 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain;
+type fsck, domain, domain_deprecated;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 67c67b762..4f01db215 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
+type fsck_untrusted, domain, domain_deprecated;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/gatekeeperd.te b/gatekeeperd.te
index ca540c68f..81d7fdf6d 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -1,4 +1,4 @@
-type gatekeeperd, domain;
+type gatekeeperd, domain, domain_deprecated;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
diff --git a/gpsd.te b/gpsd.te
index 4b2222314..07e0feb6d 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,5 @@
# gpsd - GPS daemon
-type gpsd, domain;
+type gpsd, domain, domain_deprecated;
type gpsd_exec, exec_type, file_type;
init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953e5..543cae1a0 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,4 @@
-type hci_attach, domain;
+type hci_attach, domain, domain_deprecated;
type hci_attach_exec, exec_type, file_type;
init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index cd5429be1..48be64d99 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,6 +1,6 @@
# healthd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type healthd, domain;
+type healthd, domain, domain_deprecated;
# Write to /dev/kmsg
allow healthd kmsg_device:chr_file rw_file_perms;
diff --git a/hostapd.te b/hostapd.te
index 11145de93..858c28645 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,5 @@
# userspace wifi access points
-type hostapd, domain;
+type hostapd, domain, domain_deprecated;
type hostapd_exec, exec_type, file_type;
net_domain(hostapd)
diff --git a/idmap.te b/idmap.te
index 1ab497ee0..c1b4d0fd8 100644
--- a/idmap.te
+++ b/idmap.te
@@ -1,5 +1,5 @@
# idmap, when executed by installd
-type idmap, domain;
+type idmap, domain, domain_deprecated;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
diff --git a/init.te b/init.te
index 1f33a9781..e6c782584 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,5 @@
# init is its own domain.
-type init, domain, mlstrustedsubject;
+type init, domain, domain_deprecated, mlstrustedsubject;
tmpfs_domain(init)
# The init domain is entered by execing init.
diff --git a/inputflinger.te b/inputflinger.te
index 11a60a65e..324f3f6cf 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -1,5 +1,5 @@
# inputflinger
-type inputflinger, domain;
+type inputflinger, domain, domain_deprecated;
type inputflinger_exec, exec_type, file_type;
init_daemon_domain(inputflinger)
diff --git a/install_recovery.te b/install_recovery.te
index 9bef3bb5a..b11ff7497 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -1,5 +1,5 @@
# service flash_recovery in init.rc
-type install_recovery, domain;
+type install_recovery, domain, domain_deprecated;
type install_recovery_exec, exec_type, file_type;
init_daemon_domain(install_recovery)
diff --git a/installd.te b/installd.te
index 3b4d56aa4..a8cb8d459 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,5 @@
# installer daemon
-type installd, domain;
+type installd, domain, domain_deprecated;
type installd_exec, exec_type, file_type;
init_daemon_domain(installd)
diff --git a/isolated_app.te b/isolated_app.te
index f40527316..2cf557895 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -9,7 +9,7 @@
### additional following rules:
###
-type isolated_app, domain;
+type isolated_app, domain, domain_deprecated;
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
diff --git a/kernel.te b/kernel.te
index 31da2af27..ed6b7ba0a 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,5 @@
# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
+type kernel, domain, domain_deprecated, mlstrustedsubject;
allow kernel self:capability sys_nice;
diff --git a/keystore.te b/keystore.te
index 83a0e8539..e2338dbec 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, domain_deprecated;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/lmkd.te b/lmkd.te
index 3243ddb5f..0d641ca7c 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -1,5 +1,5 @@
# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
+type lmkd, domain, domain_deprecated, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
init_daemon_domain(lmkd)
diff --git a/logd.te b/logd.te
index 56d0d2a71..ab09bf50d 100644
--- a/logd.te
+++ b/logd.te
@@ -1,5 +1,5 @@
# android user-space log manager
-type logd, domain, mlstrustedsubject;
+type logd, domain, domain_deprecated, mlstrustedsubject;
type logd_exec, exec_type, file_type;
init_daemon_domain(logd)
diff --git a/mdnsd.te b/mdnsd.te
index e5fe1e258..43ef26751 100644
--- a/mdnsd.te
+++ b/mdnsd.te
@@ -1,5 +1,5 @@
# mdns daemon
-type mdnsd, domain, mlstrustedsubject;
+type mdnsd, domain, domain_deprecated, mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
init_daemon_domain(mdnsd)
diff --git a/mediaserver.te b/mediaserver.te
index 7c180cb52..e1c9a54e4 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,5 @@
# mediaserver - multimedia daemon
-type mediaserver, domain;
+type mediaserver, domain, domain_deprecated;
type mediaserver_exec, exec_type, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index dd7667491..9677abd19 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,5 @@
# vpn tunneling protocol manager
-type mtp, domain;
+type mtp, domain, domain_deprecated;
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index 81d76c37e..564e91ec0 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,5 @@
# network manager
-type netd, domain, mlstrustedsubject;
+type netd, domain, domain_deprecated, mlstrustedsubject;
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 71841be36..85572e279 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-type nfc, domain;
+type nfc, domain, domain_deprecated;
app_domain(nfc)
net_domain(nfc)
binder_service(nfc)
diff --git a/perfprofd.te b/perfprofd.te
index bce990d43..f76d9919a 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -3,7 +3,7 @@ type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- type perfprofd, domain, mlstrustedsubject;
+ type perfprofd, domain, domain_deprecated, mlstrustedsubject;
init_daemon_domain(perfprofd)
diff --git a/platform_app.te b/platform_app.te
index 2afe4d8ac..117b16f35 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -2,7 +2,7 @@
### Apps signed with the platform key.
###
-type platform_app, domain;
+type platform_app, domain, domain_deprecated;
app_domain(platform_app)
# Access the network.
net_domain(platform_app)
diff --git a/ppp.te b/ppp.te
index c9b27af55..58b640ae5 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,5 @@
# Point to Point Protocol daemon
-type ppp, domain;
+type ppp, domain, domain_deprecated;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/priv_app.te b/priv_app.te
index 279a933d2..a92b6eb1f 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -1,7 +1,7 @@
###
### A domain for further sandboxing privileged apps.
###
-type priv_app, domain;
+type priv_app, domain, domain_deprecated;
app_domain(priv_app)
# Access the network.
net_domain(priv_app)
diff --git a/racoon.te b/racoon.te
index 6447a3dbc..1a2e54659 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,5 @@
# IKE key management daemon
-type racoon, domain;
+type racoon, domain, domain_deprecated;
type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a01a11376..448fdb5be 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,5 @@
# phone subsystem
-type radio, domain, mlstrustedsubject;
+type radio, domain, domain_deprecated, mlstrustedsubject;
app_domain(radio)
net_domain(radio)
bluetooth_domain(radio)
diff --git a/recovery.te b/recovery.te
index d5f6c6bee..b4eb28512 100644
--- a/recovery.te
+++ b/recovery.te
@@ -2,7 +2,7 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain;
+type recovery, domain, domain_deprecated;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
diff --git a/rild.te b/rild.te
index ea0e4eddd..bcf31d6ad 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,5 @@
# rild - radio interface layer daemon
-type rild, domain;
+type rild, domain, domain_deprecated;
type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index e51515d98..4fa686a2f 100644
--- a/runas.te
+++ b/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, mlstrustedsubject;
+type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
# ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index a6648200e..056e9f829 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain;
+type sdcardd, domain, domain_deprecated;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/servicemanager.te b/servicemanager.te
index 9947aa7d0..84605d1ac 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,5 @@
# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
+type servicemanager, domain, domain_deprecated, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
init_daemon_domain(servicemanager)
diff --git a/sgdisk.te b/sgdisk.te
index 8a689a113..b8d6b3ffc 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain;
+type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
diff --git a/shared_relro.te b/shared_relro.te
index 6a1dfd424..30af14a08 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -1,5 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
+type shared_relro, domain, domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/shell.te b/shell.te
index 32ca20dbf..3d2bb5be2 100644
--- a/shell.te
+++ b/shell.te
@@ -1,5 +1,5 @@
# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
+type shell, domain, domain_deprecated, mlstrustedsubject;
type shell_exec, exec_type, file_type;
# Create and use network sockets.
diff --git a/slideshow.te b/slideshow.te
index 86d4bff2e..3165a6540 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -1,6 +1,6 @@
# slideshow seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
+type slideshow, domain, domain_deprecated;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
diff --git a/su.te b/su.te
index 6c4c11504..38e3b0d53 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@ userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
+ type su, domain, domain_deprecated, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 26a4e48cf..5d1199dd6 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,5 @@
# surfaceflinger - display compositor service
-type surfaceflinger, domain;
+type surfaceflinger, domain, domain_deprecated;
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 08e3f5cc5..de9146c5e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -3,7 +3,7 @@
# com.android.settings. These are not as privileged as the system
# server.
#
-type system_app, domain;
+type system_app, domain, domain_deprecated;
app_domain(system_app)
net_domain(system_app)
binder_service(system_app)
diff --git a/system_server.te b/system_server.te
index b17624346..93849e410 100644
--- a/system_server.te
+++ b/system_server.te
@@ -2,7 +2,7 @@
# System Server aka system_server spawned by zygote.
# Most of the framework services run in this process.
#
-type system_server, domain, mlstrustedsubject;
+type system_server, domain, domain_deprecated, mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
diff --git a/tee.te b/tee.te
index 7cf6ecd8d..ab625dea9 100644
--- a/tee.te
+++ b/tee.te
@@ -1,7 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain;
+type tee, domain, domain_deprecated;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
diff --git a/toolbox.te b/toolbox.te
index 43411024c..d2f969ff8 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -1,7 +1,7 @@
# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
+type toolbox, domain, domain_deprecated;
type toolbox_exec, exec_type, file_type;
init_daemon_domain(toolbox)
diff --git a/tzdatacheck.te b/tzdatacheck.te
index a95dc0d2a..f61cb4716 100644
--- a/tzdatacheck.te
+++ b/tzdatacheck.te
@@ -1,5 +1,5 @@
# The tzdatacheck command run by init.
-type tzdatacheck, domain;
+type tzdatacheck, domain, domain_deprecated;
type tzdatacheck_exec, exec_type, file_type;
init_daemon_domain(tzdatacheck)
diff --git a/ueventd.te b/ueventd.te
index f4884d703..04a18a303 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
+type ueventd, domain, domain_deprecated;
tmpfs_domain(ueventd)
# TODO: why is ueventd using __kmsg__ when it should just create
diff --git a/uncrypt.te b/uncrypt.te
index 93f5a274f..7608538c3 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain, mlstrustedsubject;
+type uncrypt, domain, domain_deprecated, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
diff --git a/untrusted_app.te b/untrusted_app.te
index 0ac3cc9e0..0e715469b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -20,7 +20,7 @@
### additional following rules:
###
-type untrusted_app, domain;
+type untrusted_app, domain, domain_deprecated;
app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
diff --git a/update_engine.te b/update_engine.te
index 88b0b722f..839d6b711 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,5 +1,5 @@
# Domain for update_engine daemon.
-type update_engine, domain;
+type update_engine, domain, domain_deprecated;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
diff --git a/vdc.te b/vdc.te
index 8b6a93a49..54789659e 100644
--- a/vdc.te
+++ b/vdc.te
@@ -5,7 +5,7 @@
# We also transition into this domain from dumpstate, when
# collecting bug reports.
-type vdc, domain;
+type vdc, domain, domain_deprecated;
type vdc_exec, exec_type, file_type;
init_daemon_domain(vdc)
diff --git a/vold.te b/vold.te
index 5ecb5033f..c8952af02 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,5 @@
# volume manager
-type vold, domain;
+type vold, domain, domain_deprecated;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 00292a9a9..4077386f0 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,4 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
+type watchdogd, domain, domain_deprecated;
allow watchdogd watchdog_device:chr_file rw_file_perms;
allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/wpa.te b/wpa.te
index d6fae6390..a562fb75b 100644
--- a/wpa.te
+++ b/wpa.te
@@ -1,5 +1,5 @@
# wpa - wpa supplicant or equivalent
-type wpa, domain;
+type wpa, domain, domain_deprecated;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 139df85de..d7a8a997a 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,5 @@
# zygote
-type zygote, domain;
+type zygote, domain, domain_deprecated;
type zygote_exec, exec_type, file_type;
init_daemon_domain(zygote)
--
GitLab