diff --git a/public/adbd.te b/public/adbd.te index e655a9b0f..36e4bd3f7 100644 --- a/public/adbd.te +++ b/public/adbd.te @@ -2,3 +2,7 @@ # it lives in the rootfs and has no unique file type. type adbd, domain; type adbd_exec, exec_type, file_type, system_file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/aidl_lazy_test_server.te b/public/aidl_lazy_test_server.te index ac6ccc65a..2d3b7e738 100644 --- a/public/aidl_lazy_test_server.te +++ b/public/aidl_lazy_test_server.te @@ -1,2 +1,6 @@ type aidl_lazy_test_server, domain; type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/apexd.te b/public/apexd.te index bf4c8cbea..1964bbe04 100644 --- a/public/apexd.te +++ b/public/apexd.te @@ -1,3 +1,7 @@ # apexd -- manager for APEX packages type apexd, domain; type apexd_exec, exec_type, file_type, system_file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/app.te b/public/app.te index 0845499fa..864557d66 100644 --- a/public/app.te +++ b/public/app.te @@ -7,3 +7,7 @@ ### zygote spawned apps should be added here. ### type appdomain_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/app_zygote.te b/public/app_zygote.te index 4c1ec9652..5c649d2ba 100644 --- a/public/app_zygote.te +++ b/public/app_zygote.te @@ -1,6 +1,9 @@ # app_zygote is an auxiliary zygote process that is used to spawn # isolated service processes for individual applications. It is # spawned from the regular zygote process as a "child zygote". - type app_zygote, domain; type app_zygote_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/artd.te b/public/artd.te index 0731adc60..3cf8aa078 100644 --- a/public/artd.te +++ b/public/artd.te @@ -1,2 +1,6 @@ # ART service daemon. type artd, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/asan_extract.te b/public/asan_extract.te index ed3421332..cf160d0eb 100644 --- a/public/asan_extract.te +++ b/public/asan_extract.te @@ -7,3 +7,7 @@ with_asan(` type asan_extract, domain, coredomain; type asan_extract_exec, exec_type, file_type, system_file_type; ') + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/atrace.te b/public/atrace.te index 7327f84ec..26387c68e 100644 --- a/public/atrace.te +++ b/public/atrace.te @@ -1 +1,5 @@ type atrace, domain, coredomain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/audioserver.te b/public/audioserver.te index 86ab93134..64a283d72 100644 --- a/public/audioserver.te +++ b/public/audioserver.te @@ -2,3 +2,6 @@ type audioserver, domain; type audioserver_tmpfs, file_type; +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/blkid.te b/public/blkid.te index dabe01452..4e92e720e 100644 --- a/public/blkid.te +++ b/public/blkid.te @@ -1,2 +1,6 @@ # blkid called from vold type blkid, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/bluetooth.te b/public/bluetooth.te index 9b3442aa5..ff868a8b9 100644 --- a/public/bluetooth.te +++ b/public/bluetooth.te @@ -1,2 +1,6 @@ # bluetooth subsystem type bluetooth, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/bootanim.te b/public/bootanim.te index 5962eb24d..47f1160f6 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -1,3 +1,7 @@ # bootanimation oneshot service type bootanim, domain; type bootanim_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/bootstat.te b/public/bootstat.te index 954ebc3ab..437f6bc62 100644 --- a/public/bootstat.te +++ b/public/bootstat.te @@ -1,3 +1,7 @@ # bootstat command type bootstat, domain; type bootstat_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/bpfloader.te b/public/bpfloader.te index 81c32ee62..4aae1cfdc 100644 --- a/public/bpfloader.te +++ b/public/bpfloader.te @@ -1 +1,5 @@ type bpfloader, domain, coredomain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/bufferhubd.te b/public/bufferhubd.te index 4d7868d25..e688d5ca6 100644 --- a/public/bufferhubd.te +++ b/public/bufferhubd.te @@ -1,3 +1,7 @@ # bufferhubd type bufferhubd, domain, mlstrustedsubject; type bufferhubd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/cameraserver.te b/public/cameraserver.te index ab0a1510f..619b38674 100644 --- a/public/cameraserver.te +++ b/public/cameraserver.te @@ -2,3 +2,7 @@ type cameraserver, domain; type cameraserver_exec, system_file_type, exec_type, file_type; type cameraserver_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/charger.te b/public/charger.te index 6b35b02b0..4514fde18 100644 --- a/public/charger.te +++ b/public/charger.te @@ -1,2 +1,6 @@ type charger, charger_type, domain; type charger_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/charger_vendor.te b/public/charger_vendor.te index 9b3e8ec1c..dd8d02086 100644 --- a/public/charger_vendor.te +++ b/public/charger_vendor.te @@ -1,3 +1,6 @@ # Context when health HAL runs charger mode - type charger_vendor, charger_type, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/crash_dump.te b/public/crash_dump.te index d59b034e2..3146ac493 100644 --- a/public/crash_dump.te +++ b/public/crash_dump.te @@ -1,2 +1,6 @@ type crash_dump, domain; type crash_dump_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/credstore.te b/public/credstore.te index 457a40df8..faa23e901 100644 --- a/public/credstore.te +++ b/public/credstore.te @@ -1,3 +1,7 @@ # credstore daemon type credstore, domain; type credstore_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/device.te b/public/device.te index f842d339c..beafdf299 100644 --- a/public/device.te +++ b/public/device.te @@ -137,3 +137,7 @@ type rootdisk_sysdev, dev_type; # vfio device type vfio_device, dev_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/dhcp.te b/public/dhcp.te index 111a8b85e..0c1fa3097 100644 --- a/public/dhcp.te +++ b/public/dhcp.te @@ -1,2 +1,6 @@ type dhcp, domain; type dhcp_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/dnsmasq.te b/public/dnsmasq.te index 08dd530d2..08ce653cd 100644 --- a/public/dnsmasq.te +++ b/public/dnsmasq.te @@ -1,3 +1,7 @@ # DNS, DHCP services type dnsmasq, domain; type dnsmasq_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/drmserver.te b/public/drmserver.te index 7d90c843f..4b59ee085 100644 --- a/public/drmserver.te +++ b/public/drmserver.te @@ -2,3 +2,7 @@ type drmserver, domain; type drmserver_exec, system_file_type, exec_type, file_type; type drmserver_socket, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/dumpstate.te b/public/dumpstate.te index 349f526c1..dd61ad148 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -1,3 +1,7 @@ # dumpstate type dumpstate, domain, mlstrustedsubject; type dumpstate_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/e2fs.te b/public/e2fs.te index 3e16b96d5..74bab31d9 100644 --- a/public/e2fs.te +++ b/public/e2fs.te @@ -1,2 +1,6 @@ type e2fs, domain, coredomain; type e2fs_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te index dc39a22b5..072f8f6d2 100644 --- a/public/ephemeral_app.te +++ b/public/ephemeral_app.te @@ -12,3 +12,7 @@ ### PackageManager flags an app as ephemeral at install time. type ephemeral_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/evsmanagerd.te b/public/evsmanagerd.te index cde0380cc..b436f926b 100644 --- a/public/evsmanagerd.te +++ b/public/evsmanagerd.te @@ -1,2 +1,6 @@ # evsmanager daemon type evsmanagerd, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/extra_free_kbytes.te b/public/extra_free_kbytes.te index aae82ab03..82ba96307 100644 --- a/public/extra_free_kbytes.te +++ b/public/extra_free_kbytes.te @@ -1,3 +1,7 @@ # The extra_free_kbytes.sh script run by init. type extra_free_kbytes, domain; type extra_free_kbytes_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/fastbootd.te b/public/fastbootd.te index b23d15e13..360a109c0 100644 --- a/public/fastbootd.te +++ b/public/fastbootd.te @@ -3,3 +3,7 @@ # Declare the domain unconditionally so we can always reference it # in neverallow rules. type fastbootd, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/file.te b/public/file.te index adeb16fb6..cc9f28697 100644 --- a/public/file.te +++ b/public/file.te @@ -627,3 +627,7 @@ with_asan(`type asanwrapper_exec, exec_type, file_type;') # Deprecated in SDK version 28 type audiohal_data_file, file_type, data_file_type, core_data_file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/fingerprintd.te b/public/fingerprintd.te index cb5eaaa86..b40ff3be6 100644 --- a/public/fingerprintd.te +++ b/public/fingerprintd.te @@ -1,2 +1,6 @@ type fingerprintd, domain; type fingerprintd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/flags_health_check.te b/public/flags_health_check.te index 82c024c36..fbd386cb4 100644 --- a/public/flags_health_check.te +++ b/public/flags_health_check.te @@ -1,3 +1,7 @@ # The flags_health_check command run by init. type flags_health_check, domain, coredomain; type flags_health_check_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/fsck.te b/public/fsck.te index 3a6622c92..cdf7c7979 100644 --- a/public/fsck.te +++ b/public/fsck.te @@ -1,3 +1,7 @@ # Any fsck program run by init type fsck, domain; type fsck_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te index c322b855f..bb58f4dd9 100644 --- a/public/fsck_untrusted.te +++ b/public/fsck_untrusted.te @@ -1,2 +1,6 @@ # Any fsck program run on untrusted block devices type fsck_untrusted, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te index 1d6c5d3ff..6120d6034 100644 --- a/public/gatekeeperd.te +++ b/public/gatekeeperd.te @@ -1,2 +1,6 @@ type gatekeeperd, domain; type gatekeeperd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/gmscore_app.te b/public/gmscore_app.te index b574bf39c..ded865515 100644 --- a/public/gmscore_app.te +++ b/public/gmscore_app.te @@ -3,3 +3,7 @@ ### type gmscore_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/gpuservice.te b/public/gpuservice.te index c862d0b7f..75f1c342f 100644 --- a/public/gpuservice.te +++ b/public/gpuservice.te @@ -1,2 +1,6 @@ # gpuservice - server for gpu stats and other gpu related services type gpuservice, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te index f66355010..f7ccd6552 100644 --- a/public/hal_graphics_composer.te +++ b/public/hal_graphics_composer.te @@ -1,3 +1,7 @@ type hal_graphics_composer_server_tmpfs, file_type; attribute hal_graphics_composer_client_tmpfs; expandattribute hal_graphics_composer_client_tmpfs true; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/healthd.te b/public/healthd.te index c5dcfb707..69c03c635 100644 --- a/public/healthd.te +++ b/public/healthd.te @@ -1,4 +1,7 @@ # healthd - battery/charger monitoring service daemon # healthd is removed. The type is kept for backwards compatibility. - type healthd, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/heapprofd.te b/public/heapprofd.te index 7ceb23feb..95fadaaff 100644 --- a/public/heapprofd.te +++ b/public/heapprofd.te @@ -1 +1,5 @@ type heapprofd, domain, coredomain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/hwservice.te b/public/hwservice.te index 9af43fcda..d6f2de45d 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -90,3 +90,7 @@ type hidl_base_hwservice, hwservice_manager_type; type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te index 9f57aaf94..7ed9583f9 100644 --- a/public/hwservicemanager.te +++ b/public/hwservicemanager.te @@ -1,3 +1,7 @@ # hwservicemanager - the Binder context manager for HAL services type hwservicemanager, domain, mlstrustedsubject; type hwservicemanager_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/idmap.te b/public/idmap.te index 426fa46ea..02ff98874 100644 --- a/public/idmap.te +++ b/public/idmap.te @@ -1,3 +1,7 @@ # idmap, when executed by installd type idmap, domain; type idmap_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/incident.te b/public/incident.te index ce57bf650..f3f814036 100644 --- a/public/incident.te +++ b/public/incident.te @@ -6,3 +6,6 @@ # incident type incident, domain; +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/incident_helper.te b/public/incident_helper.te index bca101869..e8aca0406 100644 --- a/public/incident_helper.te +++ b/public/incident_helper.te @@ -3,3 +3,7 @@ # incident_helper type incident_helper, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/incidentd.te b/public/incidentd.te index b03249c88..4a7501de4 100644 --- a/public/incidentd.te +++ b/public/incidentd.te @@ -1,3 +1,6 @@ # incidentd type incidentd, domain; +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/init.te b/public/init.te index 0650ef742..a74983ce4 100644 --- a/public/init.te +++ b/public/init.te @@ -2,3 +2,7 @@ type init, domain, mlstrustedsubject; type init_exec, system_file_type, exec_type, file_type; type init_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/inputflinger.te b/public/inputflinger.te index 4f15180b0..2f44e561f 100644 --- a/public/inputflinger.te +++ b/public/inputflinger.te @@ -1,3 +1,7 @@ # inputflinger type inputflinger, domain; type inputflinger_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/installd.te b/public/installd.te index 67eac2f58..53e7239ef 100644 --- a/public/installd.te +++ b/public/installd.te @@ -1,3 +1,7 @@ # installer daemon type installd, domain; type installd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/isolated_app.te b/public/isolated_app.te index a907dacc2..b231df7db 100644 --- a/public/isolated_app.te +++ b/public/isolated_app.te @@ -7,3 +7,7 @@ ### type isolated_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/isolated_compute_app.te b/public/isolated_compute_app.te index f2ae9a1e5..4bfadaa0b 100644 --- a/public/isolated_compute_app.te +++ b/public/isolated_compute_app.te @@ -1 +1,5 @@ type isolated_compute_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/kernel.te b/public/kernel.te index c117a1af4..c3fcdad0e 100644 --- a/public/kernel.te +++ b/public/kernel.te @@ -1,2 +1,6 @@ # Life begins with the kernel. type kernel, domain, mlstrustedsubject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/keystore.te b/public/keystore.te index 675929204..34b6c95a2 100644 --- a/public/keystore.te +++ b/public/keystore.te @@ -1,3 +1,7 @@ # keystore daemon type keystore, domain, keystore2_key_type; type keystore_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/keystore_keys.te b/public/keystore_keys.te index 3c3598487..370be4c8b 100644 --- a/public/keystore_keys.te +++ b/public/keystore_keys.te @@ -1,2 +1,6 @@ # A keystore2 namespace for WI-FI. type wifi_key, keystore2_key_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/llkd.te b/public/llkd.te index 1faa42995..d678c3c27 100644 --- a/public/llkd.te +++ b/public/llkd.te @@ -1,3 +1,7 @@ # llkd Live LocK Daemon type llkd, domain, mlstrustedsubject; type llkd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/lmkd.te b/public/lmkd.te index cc7c08d7a..7d05b006f 100644 --- a/public/lmkd.te +++ b/public/lmkd.te @@ -1,3 +1,7 @@ # lmkd low memory killer daemon type lmkd, domain, mlstrustedsubject; type lmkd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/logd.te b/public/logd.te index 8099bbcf2..a33ebd521 100644 --- a/public/logd.te +++ b/public/logd.te @@ -1,3 +1,7 @@ # android user-space log manager type logd, domain, mlstrustedsubject; type logd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/logpersist.te b/public/logpersist.te index 2015664d3..2936584a6 100644 --- a/public/logpersist.te +++ b/public/logpersist.te @@ -1,2 +1,6 @@ # android debug logging, logpersist domains type logpersist, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mdnsd.te b/public/mdnsd.te index ef7b065d8..c36f5e6ed 100644 --- a/public/mdnsd.te +++ b/public/mdnsd.te @@ -1,2 +1,6 @@ # mdns daemon type mdnsd, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te index dc86f1117..f6475291e 100644 --- a/public/mediadrmserver.te +++ b/public/mediadrmserver.te @@ -1,3 +1,7 @@ # mediadrmserver - mediadrm daemon type mediadrmserver, domain; type mediadrmserver_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 7b43a57fc..0943ea3dd 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -2,3 +2,7 @@ type mediaextractor, domain; type mediaextractor_exec, system_file_type, exec_type, file_type; type mediaextractor_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediametrics.te b/public/mediametrics.te index 9dea282eb..34a141564 100644 --- a/public/mediametrics.te +++ b/public/mediametrics.te @@ -1,3 +1,7 @@ # mediametrics - daemon for collecting media.metrics data type mediametrics, domain; type mediametrics_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediaprovider.te b/public/mediaprovider.te index 24170a5cf..61dbf4c19 100644 --- a/public/mediaprovider.te +++ b/public/mediaprovider.te @@ -4,3 +4,7 @@ ### type mediaprovider, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediaserver.te b/public/mediaserver.te index 022ef1b6a..8be86272d 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -2,3 +2,7 @@ type mediaserver, domain; type mediaserver_exec, system_file_type, exec_type, file_type; type mediaserver_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te index 02a59cdce..4e131d309 100644 --- a/public/mediaswcodec.te +++ b/public/mediaswcodec.te @@ -1,2 +1,6 @@ type mediaswcodec, domain; type mediaswcodec_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te index 420d03865..cd4a2ac7b 100644 --- a/public/mediatranscoding.te +++ b/public/mediatranscoding.te @@ -1 +1,5 @@ type mediatranscoding, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/modprobe.te b/public/modprobe.te index 5029cee1e..6964fee67 100644 --- a/public/modprobe.te +++ b/public/modprobe.te @@ -1 +1,5 @@ type modprobe, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/mtp.te b/public/mtp.te index 4f3ce9a99..165c43e7b 100644 --- a/public/mtp.te +++ b/public/mtp.te @@ -1,2 +1,6 @@ # vpn tunneling protocol manager type mtp, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/net.te b/public/net.te index 8e783cb80..414b5bf74 100644 --- a/public/net.te +++ b/public/net.te @@ -2,3 +2,7 @@ type node, node_type; type netif, netif_type; type port, port_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/netd.te b/public/netd.te index 9c40c1533..bfb305914 100644 --- a/public/netd.te +++ b/public/netd.te @@ -1,3 +1,7 @@ # network manager type netd, domain, mlstrustedsubject; type netd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te index f04672c11..d53f15226 100644 --- a/public/netutils_wrapper.te +++ b/public/netutils_wrapper.te @@ -1,2 +1,6 @@ type netutils_wrapper, domain; type netutils_wrapper_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/network_stack.te b/public/network_stack.te index feff66460..f909be38b 100644 --- a/public/network_stack.te +++ b/public/network_stack.te @@ -1,2 +1,6 @@ # Network stack service app type network_stack, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/nfc.te b/public/nfc.te index e3a03e796..a6e516062 100644 --- a/public/nfc.te +++ b/public/nfc.te @@ -1,2 +1,6 @@ # nfc subsystem type nfc, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te index db8dd1a1e..8a625f554 100644 --- a/public/otapreopt_chroot.te +++ b/public/otapreopt_chroot.te @@ -2,3 +2,7 @@ # TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons. type otapreopt_chroot, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/perfetto.te b/public/perfetto.te index cec0e6f09..6da515a10 100644 --- a/public/perfetto.te +++ b/public/perfetto.te @@ -1 +1,5 @@ type perfetto, domain, coredomain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/performanced.te b/public/performanced.te index 4abb02e94..8da3b49e4 100644 --- a/public/performanced.te +++ b/public/performanced.te @@ -1,3 +1,7 @@ # performanced type performanced, domain, mlstrustedsubject; type performanced_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/platform_app.te b/public/platform_app.te index 9b1faf0f6..035a3ef89 100644 --- a/public/platform_app.te +++ b/public/platform_app.te @@ -3,3 +3,7 @@ ### type platform_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/postinstall.te b/public/postinstall.te index fac621be8..38b120f90 100644 --- a/public/postinstall.te +++ b/public/postinstall.te @@ -2,3 +2,7 @@ # Extend the permissions in this domain to allow this program to access other # files needed by the specific device on your device's sepolicy directory. type postinstall, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/ppp.te b/public/ppp.te index 29900eaa2..892b61461 100644 --- a/public/ppp.te +++ b/public/ppp.te @@ -1,2 +1,6 @@ # Point to Point Protocol daemon type ppp, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/priv_app.te b/public/priv_app.te index 0761fc30f..03a8c091c 100644 --- a/public/priv_app.te +++ b/public/priv_app.te @@ -3,3 +3,7 @@ ### type priv_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/prng_seeder.te b/public/prng_seeder.te index 743845282..ae1a2c16c 100644 --- a/public/prng_seeder.te +++ b/public/prng_seeder.te @@ -1,2 +1,6 @@ # PRNG seeder daemon type prng_seeder, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/profman.te b/public/profman.te index f7576966b..34ae4a10c 100644 --- a/public/profman.te +++ b/public/profman.te @@ -1,3 +1,7 @@ # profman type profman, domain; type profman_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/property.te b/public/property.te index 7365d4850..176ffb9cc 100644 --- a/public/property.te +++ b/public/property.te @@ -342,3 +342,7 @@ not_compatible_property(` compatible_property_only(` vendor_internal_prop(vendor_default_prop) ') + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/radio.te b/public/radio.te index 4abb6b498..376248681 100644 --- a/public/radio.te +++ b/public/radio.te @@ -1,2 +1,6 @@ # phone subsystem type radio, domain, mlstrustedsubject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/recovery.te b/public/recovery.te index 35864ea62..3d3425ce1 100755 --- a/public/recovery.te +++ b/public/recovery.te @@ -3,3 +3,7 @@ # Declare the domain unconditionally so we can always reference it # in neverallow rules. type recovery, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/recovery_persist.te b/public/recovery_persist.te index 0e8c918ee..329d71426 100644 --- a/public/recovery_persist.te +++ b/public/recovery_persist.te @@ -1,3 +1,7 @@ # android recovery persistent log manager type recovery_persist, domain; type recovery_persist_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te index e8c90eaa1..10bb7be52 100644 --- a/public/recovery_refresh.te +++ b/public/recovery_refresh.te @@ -1,3 +1,7 @@ # android recovery refresh log manager type recovery_refresh, domain; type recovery_refresh_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/rkpd_app.te b/public/rkpd_app.te index 2aaf3b8a1..95b6d06ee 100644 --- a/public/rkpd_app.te +++ b/public/rkpd_app.te @@ -4,3 +4,7 @@ ### type rkpdapp, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/rs.te b/public/rs.te index 16b6e9630..80ab39bf0 100644 --- a/public/rs.te +++ b/public/rs.te @@ -1,2 +1,6 @@ type rs, domain, coredomain; type rs_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te index 163e1acde..7428a5b2f 100644 --- a/public/rss_hwm_reset.te +++ b/public/rss_hwm_reset.te @@ -1,2 +1,6 @@ # rss_hwm_reset resets RSS high-water mark counters for all procesess. type rss_hwm_reset, domain, coredomain, mlstrustedsubject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/runas.te b/public/runas.te index 5a57a2686..2ecf9b098 100644 --- a/public/runas.te +++ b/public/runas.te @@ -1,2 +1,6 @@ type runas, domain, mlstrustedsubject; type runas_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/runas_app.te b/public/runas_app.te index cdaa799c9..b160a871c 100644 --- a/public/runas_app.te +++ b/public/runas_app.te @@ -1 +1,5 @@ type runas_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/sdcardd.te b/public/sdcardd.te index 5eca06273..b7329aeb1 100644 --- a/public/sdcardd.te +++ b/public/sdcardd.te @@ -1,2 +1,6 @@ type sdcardd, domain; type sdcardd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/secure_element.te b/public/secure_element.te index 4ce6714f6..26900cd5e 100644 --- a/public/secure_element.te +++ b/public/secure_element.te @@ -1,2 +1,6 @@ # secure_element subsystem type secure_element, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/service.te b/public/service.te index 744929d67..e055b4e18 100644 --- a/public/service.te +++ b/public/service.te @@ -354,3 +354,7 @@ type hal_wifi_service, protected_service, hal_service_type, service_manager_type type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type; type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type; type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/servicemanager.te b/public/servicemanager.te index 501f0eb8d..3409993d7 100644 --- a/public/servicemanager.te +++ b/public/servicemanager.te @@ -1,3 +1,7 @@ # servicemanager - the Binder context manager type servicemanager, domain, mlstrustedsubject; type servicemanager_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/sgdisk.te b/public/sgdisk.te index 21b8960e6..c4468e201 100644 --- a/public/sgdisk.te +++ b/public/sgdisk.te @@ -1,3 +1,7 @@ # sgdisk called from vold type sgdisk, domain; type sgdisk_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/shared_relro.te b/public/shared_relro.te index 6dd5bd77f..fdee99f78 100644 --- a/public/shared_relro.te +++ b/public/shared_relro.te @@ -1,2 +1,6 @@ # Process which creates/updates shared RELRO files to be used by other apps. type shared_relro, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/shell.te b/public/shell.te index e96804827..189976d6e 100644 --- a/public/shell.te +++ b/public/shell.te @@ -1,3 +1,7 @@ # Domain for shell processes spawned by ADB or console service. type shell, domain, mlstrustedsubject; type shell_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/simpleperf.te b/public/simpleperf.te index 218fee77a..c13d241dd 100644 --- a/public/simpleperf.te +++ b/public/simpleperf.te @@ -1 +1,5 @@ type simpleperf, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te index 3719d9f4d..f2a6172a5 100644 --- a/public/simpleperf_app_runner.te +++ b/public/simpleperf_app_runner.te @@ -1,2 +1,6 @@ type simpleperf_app_runner, domain, mlstrustedsubject; type simpleperf_app_runner_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/slideshow.te b/public/slideshow.te index 0b91e45aa..4ead98c4b 100644 --- a/public/slideshow.te +++ b/public/slideshow.te @@ -1,3 +1,7 @@ # slideshow seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type slideshow, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/statsd.te b/public/statsd.te index c73ddba43..52f41326d 100644 --- a/public/statsd.te +++ b/public/statsd.te @@ -1,2 +1,6 @@ type statsd, domain, mlstrustedsubject; type statsd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/su.te b/public/su.te index 6e5187a30..6936f67a5 100644 --- a/public/su.te +++ b/public/su.te @@ -7,3 +7,7 @@ type su, domain; # File types must be defined for file_contexts. type su_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te index c1e4844a0..531b3da3f 100644 --- a/public/surfaceflinger.te +++ b/public/surfaceflinger.te @@ -1,3 +1,7 @@ # surfaceflinger - display compositor service type surfaceflinger, domain; type surfaceflinger_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/system_app.te b/public/system_app.te index 023058ee0..8e1d5dc14 100644 --- a/public/system_app.te +++ b/public/system_app.te @@ -5,3 +5,7 @@ ### type system_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/system_server.te b/public/system_server.te index ff18bdf84..55b163bd4 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -4,3 +4,7 @@ # type system_server, domain; type system_server_tmpfs, file_type, mlstrustedobject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/tee.te b/public/tee.te index f023d5c23..a310d944a 100644 --- a/public/tee.te +++ b/public/tee.te @@ -5,3 +5,7 @@ type tee, domain; # Device(s) for communicating with the TEE type tee_device, dev_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/tombstoned.te b/public/tombstoned.te index cc5801444..bc572192a 100644 --- a/public/tombstoned.te +++ b/public/tombstoned.te @@ -1,3 +1,7 @@ # debugger interface type tombstoned, domain, mlstrustedsubject; type tombstoned_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/toolbox.te b/public/toolbox.te index 36a657c46..47411bbf7 100644 --- a/public/toolbox.te +++ b/public/toolbox.te @@ -2,3 +2,7 @@ # Do NOT use this domain for toolbox when run by any other domain. type toolbox, domain; type toolbox_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/traced.te b/public/traced.te index 48da0d838..79c21ba2b 100644 --- a/public/traced.te +++ b/public/traced.te @@ -1,4 +1,6 @@ type traced, domain, coredomain, mlstrustedsubject; type traced_tmpfs, file_type; - +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/traced_perf.te b/public/traced_perf.te index f9a0324b1..99d4a1466 100644 --- a/public/traced_perf.te +++ b/public/traced_perf.te @@ -1 +1,5 @@ type traced_perf, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/traced_probes.te b/public/traced_probes.te index 3e587c8ef..bc782a8aa 100644 --- a/public/traced_probes.te +++ b/public/traced_probes.te @@ -1 +1,5 @@ type traced_probes, domain, coredomain, mlstrustedsubject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/traceur_app.te b/public/traceur_app.te index 1df0ccbd0..04df12f7f 100644 --- a/public/traceur_app.te +++ b/public/traceur_app.te @@ -1 +1,5 @@ type traceur_app, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/ueventd.te b/public/ueventd.te index 7bf788874..e0bd5ca53 100644 --- a/public/ueventd.te +++ b/public/ueventd.te @@ -2,3 +2,7 @@ # it lives in the rootfs and has no unique file type. type ueventd, domain; type ueventd_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/uncrypt.te b/public/uncrypt.te index 3ef0ef4e3..55a2b3653 100644 --- a/public/uncrypt.te +++ b/public/uncrypt.te @@ -1,3 +1,7 @@ # uncrypt type uncrypt, domain, mlstrustedsubject; type uncrypt_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/untrusted_app.te b/public/untrusted_app.te index a4ee6f5fc..af1ac27e5 100644 --- a/public/untrusted_app.te +++ b/public/untrusted_app.te @@ -34,3 +34,7 @@ type untrusted_app_27, domain; # This file defines the rules for untrusted apps running with # targetSdkVersion <= 25. type untrusted_app_25, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/update_engine.te b/public/update_engine.te index b4ae92616..3c6c0b0c7 100644 --- a/public/update_engine.te +++ b/public/update_engine.te @@ -1,3 +1,7 @@ # Domain for update_engine daemon. type update_engine, domain, update_engine_common; type update_engine_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/update_verifier.te b/public/update_verifier.te index ed9a00ae3..a8804cec6 100644 --- a/public/update_verifier.te +++ b/public/update_verifier.te @@ -1,3 +1,7 @@ # update_verifier type update_verifier, domain; type update_verifier_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/usbd.te b/public/usbd.te index 6f349541b..9ff08d24c 100644 --- a/public/usbd.te +++ b/public/usbd.te @@ -1,2 +1,6 @@ type usbd, domain; type usbd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vdc.te b/public/vdc.te index 1c20c6f7b..04fc39e71 100644 --- a/public/vdc.te +++ b/public/vdc.te @@ -4,6 +4,9 @@ # # We also transition into this domain from dumpstate, when # collecting bug reports. - type vdc, domain; type vdc_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vendor_init.te b/public/vendor_init.te index 10db7628a..ef1386e1e 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -1,2 +1,6 @@ # vendor_init is its own domain. type vendor_init, domain, mlstrustedsubject; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te index d95eecd56..a64eee579 100644 --- a/public/vendor_misc_writer.te +++ b/public/vendor_misc_writer.te @@ -1,3 +1,7 @@ # vendor_misc_writer type vendor_misc_writer, domain; type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te index 529c4aa27..8ec0abad1 100644 --- a/public/vendor_modprobe.te +++ b/public/vendor_modprobe.te @@ -1 +1,5 @@ type vendor_modprobe, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vendor_shell.te b/public/vendor_shell.te index 66210228c..1906d0e15 100644 --- a/public/vendor_shell.te +++ b/public/vendor_shell.te @@ -1,2 +1,6 @@ type vendor_shell, domain; type vendor_shell_exec, exec_type, vendor_file_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te index b6899362b..13969b45b 100644 --- a/public/vendor_toolbox.te +++ b/public/vendor_toolbox.te @@ -2,3 +2,7 @@ # Non-vendor processes are not allowed to execute the binary # and is always executed without transition. type vendor_toolbox_exec, exec_type, vendor_file_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te index 294e96603..1e1c94eb2 100644 --- a/public/virtual_touchpad.te +++ b/public/virtual_touchpad.te @@ -1,2 +1,6 @@ type virtual_touchpad, domain; type virtual_touchpad_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vndservice.te b/public/vndservice.te index efd9adf92..9f70d9bbc 100644 --- a/public/vndservice.te +++ b/public/vndservice.te @@ -1,2 +1,6 @@ type service_manager_vndservice, vndservice_manager_type; type default_android_vndservice, vndservice_manager_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te index 6b9f73dc0..60af16b57 100644 --- a/public/vndservicemanager.te +++ b/public/vndservicemanager.te @@ -1,2 +1,6 @@ # vndservicemanager - the Binder context manager for vendor processes type vndservicemanager, domain; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vold.te b/public/vold.te index 414f33429..c05da1240 100644 --- a/public/vold.te +++ b/public/vold.te @@ -1,3 +1,7 @@ # volume manager type vold, domain; type vold_exec, exec_type, file_type, system_file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te index 92622714f..f6593074c 100644 --- a/public/vold_prepare_subdirs.te +++ b/public/vold_prepare_subdirs.te @@ -1,4 +1,7 @@ # SELinux directory creation and labelling for vold-managed directories - type vold_prepare_subdirs, domain; type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/watchdogd.te b/public/watchdogd.te index cb656fa28..2499b548a 100644 --- a/public/watchdogd.te +++ b/public/watchdogd.te @@ -1,3 +1,7 @@ # watchdogd seclabel is specified in init..rc type watchdogd, domain; type watchdogd_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/webview_zygote.te b/public/webview_zygote.te index ace3a013e..8142832cf 100644 --- a/public/webview_zygote.te +++ b/public/webview_zygote.te @@ -1,6 +1,9 @@ # webview_zygote is an auxiliary zygote process that is used to spawn # isolated_app processes for rendering untrusted web content. - type webview_zygote, domain; type webview_zygote_exec, exec_type, file_type; type webview_zygote_tmpfs, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/wificond.te b/public/wificond.te index 8efb63460..934133cc7 100644 --- a/public/wificond.te +++ b/public/wificond.te @@ -1,3 +1,7 @@ # wificond type wificond, domain; type wificond_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te. diff --git a/public/zygote.te b/public/zygote.te index 071354e82..9f24337eb 100644 --- a/public/zygote.te +++ b/public/zygote.te @@ -2,3 +2,7 @@ type zygote, domain; type zygote_tmpfs, file_type; type zygote_exec, system_file_type, exec_type, file_type; + +# system/sepolicy/public is for vendor-facing type and attribute definitions. +# DO NOT ADD allow, neverallow, or dontaudit statements here. +# Instead, add such policy rules to system/sepolicy/private/*.te.