Make all domains unconfined.

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

adbd.te

@@ -1,41 +1,8 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
-allow adbd adb_device:chr_file rw_file_perms;
-allow adbd qemu_device:chr_file rw_file_perms;
-allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin };
-allow adbd rootfs:file { r_file_perms entrypoint };
-allow adbd init:process sigchld;
-allow adbd self:tcp_socket *;
-allow adbd self:unix_stream_socket *;
-allow adbd node:tcp_socket node_bind;
-allow adbd port:tcp_socket name_bind;
-allow adbd devpts:chr_file rw_file_perms;
-allow adbd cgroup:dir { write add_name create };
-allow adbd labeledfs:filesystem remount;
-allow adbd shell_data_file:dir rw_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-allow adbd graphics_device:dir search;
-allow adbd graphics_device:chr_file r_file_perms;
-# XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
-allow adbd system_file:file rx_file_perms;
-unix_socket_connect(adbd, vold, vold)
-# Talk to init via the property socket.
-unix_socket_connect(adbd, property, init)
-
-# Run sh in its own domain.
+type adbd, domain;
+permissive adbd;
+unconfined_domain(adbd)
 domain_auto_trans(adbd, shell_exec, shell)
-# Do not sanitize the environment of the shell.
-allow adbd shell:process noatsecure;
-
-# XXX Mostly to access system properties and keys- maybe those should be their own type?
-allow adbd system_data_file:file create_file_perms;
-allow adbd system_data_file:dir create_dir_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
+# this is an entrypoint
+allow adbd rootfs:file entrypoint;

app.te

@@ -14,21 +14,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app shell_data_file:lnk_file read;
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-allow platform_app download_file:file rw_file_perms;
+unconfined_domain(platform_app)
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -37,22 +23,7 @@ app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-# Access /dev/mtp_usb.
-allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
-# Stat /cache/backup
-allow media_app cache_backup_file:file getattr;
-allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir
-allow media_app rootfs:file r_file_perms;
-# Allow platform apps to mark platform app data files as download files
-allow media_app platform_app_data_file:dir relabelfrom;
-allow media_app download_file:dir relabelto;
+unconfined_domain(media_app)
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -63,8 +34,7 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-# ASEC
-r_dir_file(shared_app, asec_apk_file)
+unconfined_domain(shared_app)
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
@@ -75,6 +45,7 @@ platform_app_domain(release_app)
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
+unconfined_domain(release_app)
 
 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -82,18 +53,7 @@ bluetooth_domain(release_app)
 type isolated_app, domain, mlstrustedsubject;
 permissive isolated_app;
 app_domain(isolated_app)
-
-#
-# Rules for platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-
+unconfined_domain(isolated_app)
 
 #
 # Untrusted apps.
@@ -103,101 +63,4 @@ permissive untrusted_app;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-allow untrusted_app tun_device:chr_file rw_file_perms;
-
-# Internal SDCard rw access.
-bool app_internal_sdcard_rw true;
-if (app_internal_sdcard_rw) {
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-}
-# External SDCard rw access.
-bool app_external_sdcard_rw true;
-if (app_external_sdcard_rw) {
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-}
-
-#
-# Rules for all app domains.
-#
-
-# Allow apps to connect to the keystore
-unix_socket_connect(appdomain, keystore, keystore)
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Communicate over a FIFO or socket created by the system_server.
-allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
-
-# Communicate over a socket created by surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-
-# App sandbox file accesses.
-allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
-
-# Read/write data files created by the platform apps if they
-# were passed to the app via binder or local IPC.  Do not allow open.
-allow appdomain platform_app_data_file:file { getattr read write };
-
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute open };
-
-# Execute the shell or other system executables.
-allow appdomain shell_exec:file rx_file_perms;
-allow appdomain system_file:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { read write };
-
-# Write to /data/anr/traces.txt.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow { appdomain isolated_app } backup_data_file:file { read write };
-allow { appdomain isolated_app } cache_backup_file:file { read write };
-# Backup ability using 'adb backup'
-allow { appdomain isolated_app } system_data_file:lnk_file getattr;
-
-# Allow all applications to read downloaded files
-allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
-
-# ASEC
-allow untrusted_app asec_apk_file:dir { getattr };
-allow untrusted_app asec_apk_file:file r_file_perms;
+unconfined_domain(untrusted_app)

assert.te

@@ -1,52 +0,0 @@
-# Policy assertions.
-# These neverallow rules are checked by checkpolicy at policy build time.
-# checkpolicy will refuse to generate the kernel policy if any of these
-# assertions fail.
-
-# Superuser capabilities.
-# Only exception is sys_nice for binder, might not be necessary.
-neverallow { appdomain -bluetooth } self:capability ~sys_nice;
-neverallow bluetooth self:capability ~{ sys_nice net_admin };
-neverallow appdomain self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Kernel memory access.
-neverallow appdomain kmem_device:chr_file { read write };
-
-# Setting SELinux enforcing status or booleans.
-# Conditionally allowed to system_app for SEAndroidManager.
-neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
-# Privileged netlink socket interfaces.
-neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
-
-# Access to /proc/pid entries for any non-app domain.
-# Violated by cts.te rules so commented out for now.
-#neverallow appdomain { domain - appdomain }:dir search;
-#neverallow appdomain { domain - appdomain }:lnk_file read;
-#neverallow appdomain { domain - appdomain }:file { read write };
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Transition to a non-app domain.
-# Shell excluded since it has a transition to runas.
-neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
-
-# Map low memory.
-neverallow appdomain self:memprotect mmap_zero;
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set write;
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts.  Define a different type for portions
-# that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;

bluetooth.te

@@ -2,37 +2,4 @@
 type bluetooth, domain;
 permissive bluetooth;
 app_domain(bluetooth)
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-
-# bluetooth factory file accesses.
-r_dir_file(bluetooth, bluetooth_efs_file)
-
-# Device accesses.
-allow bluetooth { hci_attach_dev }:chr_file rw_file_perms;
-allow bluetooth input_device:chr_file write;
-
-# sysfs access.
-allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow bluetooth self:capability net_admin;
-
-# Other domains that can create and use bluetooth sockets.
-# SELinux does not presently define a specific socket class for
-# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
-allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
-
-# tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
-allow bluetooth efs_file:dir search;
-
-# Talk to init over the property socket.
-unix_socket_connect(bluetooth, property, init)
-
-# Property Service
-allow bluetooth bluetooth_prop:property_service set;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+unconfined_domain(bluetooth)

bluetoothd.te

@@ -4,8 +4,4 @@ permissive bluetoothd;
 type bluetoothd_exec, exec_type, file_type;
 
 init_daemon_domain(bluetoothd)
-allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin };
-allow bluetoothd self:socket *;
-allow bluetoothd bluetoothd_data_file:dir create_dir_perms;
-allow bluetoothd bluetoothd_data_file:file create_file_perms;
-unix_socket_connect(bluetoothd, dbus, dbusd)
+unconfined_domain(bluetoothd)

cts.te

@@ -1,39 +0,0 @@
-#
-# Rules to allow the Android CTS to run.
-# Do not enable in production policy.
-#
-
-bool android_cts false;
-if (android_cts) {
-# For TestDeviceSetup (RootProcessScanner).
-# Reads /proc/pid/status and statm entries to check that
-# no unexpected root processes are running.
-# Also for android.security.cts.VoldExploitTest.
-# Requires ability to read /proc/pid/cmdline of vold.
-allow appdomain domain:dir r_dir_perms;
-allow appdomain domain:{ file lnk_file } r_file_perms;
-
-# Will still fail when trying to read other app /proc/pid
-# entries due to MLS constraints.  Just silence the denials.
-dontaudit appdomain appdomain:dir r_dir_perms;
-dontaudit appdomain appdomain:file r_file_perms;
-
-# For android.permission.cts.FileSystemPermissionTest.
-# Walk the file tree, stat any file in order to check file permissions.
-allow appdomain fs_type:dir r_dir_perms;
-allow appdomain dev_type:dir r_dir_perms;
-allow appdomain file_type:dir_file_class_set getattr;
-allow appdomain dev_type:dir_file_class_set getattr;
-allow appdomain fs_type:dir_file_class_set getattr;
-
-# Tries to open /dev/alarm for writing but expects failure.
-dontaudit appdomain alarm_device:chr_file write;
-
-# For android.security.cts.VoldExploitTest.
-# Tries to create and use a netlink kobject uevent socket
-# to test for a vulnerable vold.
-dontaudit appdomain self:netlink_kobject_uevent_socket create;
-
-# Tries to override DAC restrictions but expects to fail.
-dontaudit shell self:capability dac_override;
-}

dbusd.te

@@ -4,6 +4,4 @@ permissive dbusd;
 type dbusd_exec, exec_type, file_type;
 
 init_daemon_domain(dbusd)
-# Reads /proc/pid/cmdline of clients
-r_dir_file(dbusd, system)
-r_dir_file(dbusd, bluetoothd)
+unconfined_domain(dbusd)

debuggerd.te

@@ -4,17 +4,4 @@ permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
-typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
-allow debuggerd self:capability2 { syslog };
-allow debuggerd domain:dir r_dir_perms;
-allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
-security_access_policy(debuggerd)
-allow debuggerd system_data_file:dir create_dir_perms;
-allow debuggerd system_data_file:dir relabelfrom;
-allow debuggerd tombstone_data_file:dir relabelto;
-allow debuggerd tombstone_data_file:dir create_dir_perms;
-allow debuggerd tombstone_data_file:file create_file_perms;
-allow debuggerd domain:process { sigstop signal };
-allow debuggerd exec_type:file r_file_perms;
+unconfined_domain(debuggerd)

dhcp.te

@@ -6,29 +6,6 @@ type dhcp_system_file, file_type, data_file_type;
 
 init_daemon_domain(dhcp)
 net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-allow dhcp proc:file write;
-allow dhcp system_prop:property_service set ;
-allow dhcp dhcp_system_file:file rx_file_perms;
-allow dhcp dhcp_system_file:dir r_dir_perms;
-unix_socket_connect(dhcp, property, init)
+unconfined_domain(dhcp)
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
-# netdev-bt-pan driver loading
-allow dhcp kernel:system module_request;
-
-allow dhcp tty_device:chr_file { rw_file_perms };

domain.te

@@ -1,122 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Read access to properties mapping.
-allow domain kernel:fd use;
-allow domain tmpfs:file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain tmpfs:dir r_dir_perms;
-
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
-# Intra-domain accesses.
-allow domain self:process ~{ execstack execheap };
-allow domain self:fd use;
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-allow domain system:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-allow domain adbd:unix_stream_socket connectto;
-allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr read write shutdown };
-
-# Talk to debuggerd.
-allow domain debuggerd:process sigchld;
-allow domain debuggerd:unix_stream_socket connectto;
-
-# Root fs.
-allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file read;
-allow domain devpts:dir search;
-allow domain device:file read;
-allow domain socket_device:dir search;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file r_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
-allow domain binder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain powervr_device:chr_file rw_file_perms;
-allow domain log_device:dir search;
-allow domain log_device:chr_file rw_file_perms;
-allow domain nv_device:chr_file rw_file_perms;
-allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file r_file_perms;
-allow domain random_device:chr_file r_file_perms;
-allow domain properties_device:file r_file_perms;
-
-# Filesystem accesses.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# System file accesses.
-allow domain system_file:dir r_dir_perms;
-allow domain system_file:file r_file_perms;
-allow domain system_file:file execute;
-allow domain system_file:lnk_file read;
-
-# Read files already opened under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file read;
-
-# Read apk files under /data/app.
-allow domain apk_data_file:dir search;
-allow domain apk_data_file:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow domain dalvikcache_data_file:dir { search getattr };
-allow domain dalvikcache_data_file:file r_file_perms;
-
-# Read already opened /cache files.
-allow domain cache_file:dir r_dir_perms;
-allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file read;
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-#Allow access to ion memory allocation device
-allow domain ion_device:chr_file rw_file_perms;
-
-# For /sys/qemu_trace files in the emulator.
-bool in_qemu false;
-if (in_qemu) {
-allow domain sysfs:file rw_file_perms;
-}
-allow domain sysfs_writable:file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain, proc)
-r_dir_file(domain, sysfs)
-r_dir_file(domain, inotify)
-r_dir_file(domain, cgroup)
-
-# debugfs access
-bool debugfs false;
-if (debugfs) {
-allow domain debugfs:dir r_dir_perms;
-allow domain debugfs:file rw_file_perms;
-} else {
-dontaudit domain debugfs:dir r_dir_perms;
-dontaudit domain debugfs:file  rw_file_perms;
-}
-
-# security files
-allow domain security_file:dir { search getattr };
-allow domain security_file:file getattr;

drmserver.te

@@ -4,29 +4,4 @@ permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
-typeattribute drmserver mlstrustedsubject;
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-# Talk to the tee
-allow drmserver tee:unix_stream_socket { connectto };
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver apk_data_file:dir { write add_name remove_name };
-allow drmserver apk_data_file:sock_file { create setattr unlink };
-allow drmserver sdcard_type:file { read write getattr };
-allow drmserver efs_file:file { open read getattr };
+unconfined_domain(drmserver)

gpsd.te

@@ -5,13 +5,8 @@ type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
 net_domain(gpsd)
-allow gpsd gps_data_file:dir rw_dir_perms;
-allow gpsd gps_data_file:notdevfile_class_set create_file_perms;
+unconfined_domain(gpsd)
 # Socket is created by the daemon, not by init, and under /data/gps,
 # not under /dev/socket.
 type_transition gpsd gps_data_file:sock_file gps_socket;
-allow gpsd gps_socket:sock_file create_file_perms;
-# XXX Label sysfs files with a specific type?
-allow gpsd sysfs:file rw_file_perms;
 
-allow gpsd gps_device:chr_file rw_file_perms;

hci_attach.te

@@ -3,8 +3,4 @@ permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
-
-allow hci_attach kernel:system module_request;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach bluetooth_efs_file:dir r_dir_perms;
-allow hci_attach bluetooth_efs_file:file r_file_perms;
+unconfined_domain(hci_attach)

init.te

@@ -4,3 +4,5 @@ permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
+# add a rule to handle unlabelled mounts
+allow init unlabeled:filesystem mount;

init_shell.te

@@ -1,14 +1,5 @@
 # Restricted domain for shell processes spawned by init
-type init_shell, domain, mlstrustedsubject;
+type init_shell, domain;
+permissive init_shell;
 domain_auto_trans(init, shell_exec, init_shell)
-allow init_shell rootfs:dir r_dir_perms;
-allow init_shell devpts:chr_file rw_file_perms;
-allow init_shell tty_device:chr_file rw_file_perms;
-allow init_shell console_device:chr_file rw_file_perms;
-allow init_shell input_device:chr_file rw_file_perms;
-allow init_shell system_file:file x_file_perms;
-allow init_shell shell_exec:file rx_file_perms;
-allow init_shell zygote_exec:file rx_file_perms;
-
-# setprop toolbox command
-unix_socket_connect(init_shell, property, init)
+unconfined_domain(init_shell)

installd.te

@@ -4,24 +4,4 @@ permissive installd;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
-typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd system_data_file:file create_file_perms;
-allow installd system_data_file:lnk_file create;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd data_file_type:dir create_dir_perms;
-allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file } { getattr unlink };
-allow installd apk_data_file:file r_file_perms;
-allow installd apk_tmp_file:file r_file_perms;
-allow installd system_file:file x_file_perms;
-allow installd cgroup:dir create_dir_perms;
-dontaudit installd self:capability sys_admin;
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
-# ASEC
-allow installd platform_app_data_file:lnk_file { create setattr };
-allow installd app_data_file:lnk_file { create setattr };
-allow installd asec_apk_file:file r_file_perms;
+unconfined_domain(installd)

keystore.te

@@ -4,9 +4,4 @@ type keystore_exec, exec_type, file_type;
 
 # keystore daemon
 init_daemon_domain(keystore)
-binder_use(keystore)
-binder_service(keystore)
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-allow keystore tee_device:chr_file rw_file_perms;
+unconfined_domain(keystore)

mediaserver.te

@@ -3,52 +3,6 @@ type mediaserver, domain;
 permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
-typeattribute mediaserver mlstrustedsubject;
-
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unix_socket_connect(mediaserver, property, init)
-
-r_dir_file(mediaserver, sdcard_type)
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver kernel:system module_request;
-allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file rw_file_perms;
-allow mediaserver platform_app_data_file:file { getattr read };
-allow mediaserver sdcard_type:file write;
-allow mediaserver camera_device:chr_file rw_file_perms;
-allow mediaserver graphics_device:chr_file rw_file_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver audio_device:chr_file rw_file_perms;
-allow mediaserver qemu_device:chr_file rw_file_perms;
-allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver audio_prop:property_service set;
-
-# XXX Label with a specific type?
-allow mediaserver sysfs:file rw_file_perms;
-
-# XXX Why?
-allow mediaserver apk_data_file:file { read getattr };
-
-# To use remote processor
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system:fifo_file r_file_perms;
-
-# Camera calibration
-allow mediaserver camera_calibration_file:dir r_dir_perms;
-allow mediaserver camera_calibration_file:file r_file_perms;
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+unconfined_domain(mediaserver)

mtp.te

@@ -5,12 +5,4 @@ type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
 net_domain(mtp)
-
-# pptp policy
-allow mtp self:tcp_socket { create setopt connect write read };
-allow mtp self:socket { create connect };
-allow mtp self:rawip_socket create;
-allow mtp self:capability net_raw;
-allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
-allow mtp vpn_data_file:dir search;
+unconfined_domain(mtp)

net.te

@@ -2,17 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-# Use network sockets.
-allow netdomain self:{ tcp_socket udp_socket } *;
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
-# Get route information.
-allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)

netd.te

@@ -1,38 +1,8 @@
 # network manager
 type netd, domain;
-permissive netd;
 type netd_exec, exec_type, file_type;
 
+permissive netd;
+unconfined_domain(netd)
 init_daemon_domain(netd)
-typeattribute netd mlstrustedsubject;
-allow netd self:capability { net_admin net_raw sys_module kill };
-allow netd self:netlink_kobject_uevent_socket *;
-allow netd self:netlink_route_socket *;
-allow netd self:netlink_nflog_socket *;
-allow netd self:rawip_socket *;
-allow netd self:udp_socket *;
-allow netd node:udp_socket node_bind;
-allow netd port:udp_socket name_bind;
-allow netd self:unix_stream_socket *;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-allow netd devpts:chr_file rw_file_perms;
-
-# For /proc/sys/net/ipv[46]/route/flush.
-# XXX Split /proc/sys/net into its own type.
-allow netd proc:file write;
-
-# For /sys/modules/bcmdhd/parameters/firmware_path
-# XXX Split into its own type.
-allow netd sysfs:file write;
-
-# Network driver loading.
-allow netd kernel:system module_request;
-
-# Set dhcp lease for PAN connection
-unix_socket_connect(netd, property, init)
-allow netd system_prop:property_service set;
-
-# Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)
-allow netd dhcp:process signal;

nfc.te

@@ -2,13 +2,4 @@
 type nfc, domain;
 permissive nfc;
 app_domain(nfc)
-
-# NFC device access.
-allow nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-
-allow nfc sysfs_nfc_power_writable:file rw_file_perms;
-allow nfc sysfs:file write;
+unconfined_domain(nfc)

ping.te

@@ -2,12 +2,4 @@ type ping, domain;
 permissive ping;
 type ping_exec, file_type;
 domain_auto_trans(shell, ping_exec, ping)
-
-allow ping self:capability net_raw;
-allow ping self:rawip_socket create_socket_perms;
-allow ping self:udp_socket create_socket_perms;
-allow ping node:rawip_socket node_bind;
-allow ping dnsproxyd_socket:sock_file write;
-allow ping netd:unix_stream_socket connectto;
-allow ping devpts:chr_file rw_file_perms;
-allow ping shell:fd use;
+unconfined_domain(ping)

ppp.te

@@ -4,15 +4,5 @@ permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;
-
+unconfined_domain(ppp)
 domain_auto_trans(mtp, ppp_exec, ppp)
-
-allow ppp mtp:socket { read write ioctl };
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
-allow ppp self:udp_socket { create ioctl };
-allow ppp ppp_system_file:dir search;
-allow ppp ppp_system_file:file rx_file_perms;
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;

qemud.te

@@ -4,4 +4,4 @@ permissive qemud;
 type qemud_exec, exec_type, file_type;
 
 init_daemon_domain(qemud)
-allow qemud serial_device:chr_file rw_file_perms;
+unconfined_domain(qemud)

racoon.te

@@ -3,24 +3,4 @@ type racoon, domain;
 permissive racoon;
 type racoon_exec, exec_type, file_type;
 
-init_daemon_domain(racoon)
-typeattribute racoon mlstrustedsubject;
-
-binder_call(racoon, servicemanager)
-binder_call(racoon, keystore)
-
-allow racoon tun_device:chr_file r_file_perms;
-allow racoon cgroup:dir { add_name create };
-allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
-
-allow racoon self:{ key_socket udp_socket } create_socket_perms;
-allow racoon self:tun_socket create;
-allow racoon self:capability { net_admin net_bind_service net_raw setuid };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon ppp_system_file:file rx_file_perms;
-allow racoon ppp_system_file:dir search;
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
+unconfined_domain(racoon)

radio.te

@@ -5,20 +5,4 @@ app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
 
-# Talks to init via the property socket.
-unix_socket_connect(radio, property, init)
-
-# Talks to rild via the rild socket.
-unix_socket_connect(radio, rild, rild)
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-
-allow radio alarm_device:chr_file rw_file_perms;
-
-# Property service
-allow radio radio_prop:property_service set;
-
-# ctl interface
-allow radio ctl_rildaemon_prop:property_service set;
+unconfined_domain(radio)

rild.te

@@ -5,42 +5,4 @@ type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
 net_domain(rild)
-allow rild self:netlink_route_socket { setopt write };
-allow rild kernel:system module_request;
-unix_socket_connect(rild, property, init)
-unix_socket_connect(rild, qemud, qemud)
-allow rild self:capability { setuid net_admin net_raw };
-allow rild alarm_device:chr_file rw_file_perms;
-allow rild cgroup:dir create_dir_perms;
-allow rild radio_device:chr_file rw_file_perms;
-allow rild radio_device:blk_file r_file_perms;
-allow rild qemu_device:chr_file rw_file_perms;
-allow rild mtd_device:dir search;
-allow rild efs_file:dir create_dir_perms;
-allow rild efs_file:file create_file_perms;
-allow rild shell_exec:file rx_file_perms;
-allow rild bluetooth_efs_file:file r_file_perms;
-allow rild bluetooth_efs_file:dir r_dir_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-allow rild sdcard_type:dir r_dir_perms;
-allow rild system_data_file:dir create_dir_perms;
-allow rild system_data_file:file create_file_perms;
-allow rild system_file:file x_file_perms;
-dontaudit rild self:capability sys_admin;
-# XXX Label sysfs files with a specific type?
-allow rild sysfs:file rw_file_perms;
-
-# property service
-allow rild rild_prop:property_service set;
-allow rild radio_prop:property_service set;
-
-# Read/Write to uart driver (for GPS)
-allow rild gps_device:chr_file rw_file_perms;
-
-allow rild tty_device:chr_file rw_file_perms;
-
-# Allow rild to create, bind, read, write to itself through a netlink socket
-allow rild self:netlink_socket { create bind read write };
-
-allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+unconfined_domain(rild)

runas.te

@@ -1,67 +1,7 @@
-type runas, domain, mlstrustedsubject;
+type runas, domain;
 type runas_exec, file_type;
-
-bool support_runas true;
-
-if (support_runas) {
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shell, untrusted_app)
-dontaudit shell domain:dir r_dir_perms;
-dontaudit shell domain:file r_file_perms;
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shell app_data_file:dir search;
-
-# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
-allow shell untrusted_app:process sigkill;
-dontaudit shell self:capability { sys_ptrace kill };
+permissive runas;
+unconfined_domain(runas)
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
-allow runas adbd:process sigchld;
-allow runas shell:fd  use;
-allow runas devpts:chr_file { read write ioctl };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
-
-# run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
-selinux_check_context(runas) # validate context
-allow runas untrusted_app:process dyntransition; # setcon
-
-# run-as runs lib/gdbserver from the app data dir.
-allow untrusted_app system_data_file:file rx_file_perms;
-
-# gdbserver reads the zygote.
-allow untrusted_app zygote_exec:file r_file_perms;
-
-# (grand)child death notification.
-allow untrusted_app shell:process sigchld;
-allow untrusted_app adbd:process sigchld;
-
-# child shell or gdbserver pty access.
-allow untrusted_app devpts:chr_file { getattr read write ioctl };
-
-# gdbserver creates a socket in the app data dir.
-allow untrusted_app app_data_file:sock_file { create unlink };
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd untrusted_app:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-}

sdcardd.te

@@ -3,11 +3,4 @@ permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard_type:filesystem mount;
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
-allow sdcardd system_data_file:dir  create_dir_perms;
-allow sdcardd system_data_file:file create_file_perms;
+unconfined_domain(sdcardd)

servicemanager.te

@@ -4,12 +4,4 @@ permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains.  It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder transfer;
+unconfined_domain(servicemanager)

shell.te

@@ -1,34 +1,8 @@
 # Domain for shell processes spawned by ADB
-type shell, domain, mlstrustedsubject;
+type shell, domain;
 type shell_exec, file_type;
-allow shell rootfs:dir r_dir_perms;
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-allow shell input_device:chr_file rw_file_perms;
-allow shell system_file:file x_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-
-# Access sdcard.
-allow shell sdcard_type:dir rw_dir_perms;
-allow shell sdcard_type:file create_file_perms;
-
-r_dir_file(shell, apk_data_file)
-allow shell dalvikcache_data_file:file { write setattr };
+unconfined_domain(shell)
 
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
-
-# Property Service
-allow shell shell_prop:property_service set;
-
-# setprop toolbox command
-unix_socket_connect(shell, property, init)
-
-# ctl interface
-allow shell ctl_dumpstate_prop:property_service set;

surfaceflinger.te

@@ -4,32 +4,7 @@ permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
-typeattribute surfaceflinger mlstrustedsubject;
+unconfined_domain(surfaceflinger)
 
 # Talk to init over the property socket.
 unix_socket_connect(surfaceflinger, property, init)
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, system)
-binder_service(surfaceflinger)
-allow surfaceflinger init:binder transfer;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket *;
-
-# Set properties.
-allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_default_prop:property_service set;
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger platform_app_data_file:file { read write };
-allow surfaceflinger app_data_file:file { read write };

system.te

@@ -1,226 +1,11 @@
-#
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings.  These are not as privileged as the system
-# server.
-#
 type system_app, domain;
 permissive system_app;
 app_domain(system_app)
+unconfined_domain(system_app)
 
-# Perform binder IPC to any app domain.
-binder_call(system_app, appdomain)
-
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Write to dalvikcache.
-allow system_app dalvikcache_data_file:file { write setattr };
-
-# Talk to keystore.
-unix_socket_connect(system_app, keystore, keystore)
-
-# Read SELinux enforcing status.
-selinux_getenforce(system)
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system, domain, mlstrustedsubject;
-
-# Child of the zygote.
-allow system zygote:fd use;
-allow system zygote:process sigchld;
-allow system zygote_tmpfs:file read;
-
-# system server gets network and bluetooth permissions.
-net_domain(system)
-bluetooth_domain(system)
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-# XXX See if we can remove some of these.
-allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
-
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system self:capability sys_ptrace;
-
-# Trigger module auto-load.
-allow system kernel:system module_request;
-
-# Use netlink uevent sockets.
-allow system self:netlink_kobject_uevent_socket *;
-
-# Kill apps.
-allow system appdomain:process { sigkill signal };
-
-# Set scheduling info for apps.
-allow system appdomain:process { getsched setsched };
-allow system mediaserver:process { getsched setsched };
-
-# Read /proc data for apps.
-allow system appdomain:dir r_dir_perms;
-allow system appdomain:{ file lnk_file } rw_file_perms;
-
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system qtaguid_proc:file rw_file_perms;
-allow system qtaguid_device:chr_file rw_file_perms;
-
-# WifiWatchdog uses a packet_socket
-allow system self:packet_socket *;
-
-# Notify init of death.
-allow system init:process sigchld;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system self:tun_socket create;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system, property, init)
-unix_socket_connect(system, qemud, qemud)
-unix_socket_connect(system, installd, installd)
-unix_socket_connect(system, netd, netd)
-unix_socket_connect(system, vold, vold)
-unix_socket_connect(system, zygote, zygote)
-unix_socket_connect(system, keystore, keystore)
-unix_socket_connect(system, dbus, dbusd)
-unix_socket_connect(system, gps, gpsd)
-unix_socket_connect(system, bluetooth, bluetoothd)
-unix_socket_connect(system, racoon, racoon)
-unix_socket_send(system, wpa, wpa)
-unix_socket_send(system, wpa, init)
-
-# Communicate over a socket created by surfaceflinger.
-allow system surfaceflinger:unix_stream_socket { read write setopt };
-
-# Perform Binder IPC.
-tmpfs_domain(system)
-binder_use(system)
-binder_call(system, binderservicedomain)
-binder_call(system, appdomain)
-binder_service(system)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(system, appdomain)
-r_dir_file(system, mediaserver)
-allow system appdomain:process getattr;
-allow system mediaserver:process getattr;
-
-# Specify any arguments to zygote.
-allow system self:zygote *;
-
-# Check SELinux permissions.
-selinux_check_access(system)
-
-# XXX Label sysfs files with a specific type?
-allow system sysfs:file rw_file_perms;
-allow system sysfs_nfc_power_writable:file rw_file_perms;
-
-# Access devices.
-allow system device:dir r_dir_perms;
-allow system device:sock_file rw_file_perms;
-allow system akm_device:chr_file rw_file_perms;
-allow system accelerometer_device:chr_file rw_file_perms;
-allow system alarm_device:chr_file rw_file_perms;
-allow system graphics_device:dir search;
-allow system graphics_device:chr_file rw_file_perms;
-allow system iio_device:chr_file rw_file_perms;
-allow system input_device:dir r_dir_perms;
-allow system input_device:chr_file rw_file_perms;
-allow system tty_device:chr_file rw_file_perms;
-allow system urandom_device:chr_file rw_file_perms;
-allow system usbaccessory_device:chr_file rw_file_perms;
-allow system video_device:chr_file rw_file_perms;
-allow system qemu_device:chr_file rw_file_perms;
-allow system devpts:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system tun_device:chr_file rw_file_perms;
-
-# Manage data files.
-allow system data_file_type:dir create_dir_perms;
-allow system data_file_type:notdevfile_class_set create_file_perms;
-
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system)
-
-# Relabel apk files.
-allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
-allow system { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system system_data_file:file relabelfrom;
-allow system wallpaper_file:file relabelto;
-allow system wallpaper_file:file rw_file_perms;
-
-# Relabel /data/anr.
-allow system system_data_file:dir relabelfrom;
-allow system anr_data_file:dir relabelto;
-
-# Property Service write
-allow system system_prop:property_service set;
-allow system radio_prop:property_service set;
-
-# ctl interface
-allow system ctl_default_prop:property_service set;
+type system, domain;
+permissive system;
+unconfined_domain(system);
 
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
-allow system system_wpa_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system cache_file:dir { relabelfrom create_dir_perms };
-allow system cache_file:file { relabelfrom create_file_perms };
-
-# Run system programs, e.g. dexopt.
-allow system system_file:file x_file_perms;
-
-# Allow reading of /proc/pid data for other domains.
-# XXX dontaudit candidate
-allow system domain:dir r_dir_perms;
-allow system domain:file r_file_perms;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system gps_device:chr_file rw_file_perms;
-allow system gps_control:file rw_file_perms;
-
-# system Read/Write tcp/udp_socket of untrusted_app
-allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
-
-# Allow abstract socket connection
-allow system rild:unix_stream_socket connectto;
-
-# connect to vpn tunnel
-allow system mtp:unix_stream_socket { connectto };
-
-# BackupManagerService lets PMS create a data backup file
-allow system cache_backup_file:file create_file_perms;
-# Relabel /data/backup
-allow system backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
-
-# Allow system to talk to usb device
-allow system usb_device:chr_file rw_file_perms;
-allow system usb_device:dir r_dir_perms;
-
-# Allow system to talk to sensors
-allow system sensors_device:chr_file rw_file_perms;
-
-# Allow system to search the /sys/devices/system/cpu directory
-allow system sysfs_devices_system_cpu:dir search;
-
-# Allow system to write to the adbd_socket
-allow system adbd_socket:sock_file write;

tee.te

@@ -2,14 +2,10 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
-permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
+permissive tee;
+unconfined_domain(netd)
 init_daemon_domain(tee)
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir { getattr write add_name };
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket { create bind read };

ueventd.te

@@ -3,21 +3,5 @@
 type ueventd, domain;
 permissive ueventd;
 tmpfs_domain(ueventd)
-write_klog(ueventd)
-security_access_policy(ueventd)
+unconfined_domain(ueventd)
 allow ueventd rootfs:file entrypoint;
-allow ueventd init:process sigchld;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
-allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs:file setattr;
-allow ueventd sysfs_type:file { relabelfrom relabelto };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket *;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;

unconfined.te

@@ -19,5 +19,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer };
+allow unconfineddomain domain:binder { call transfer set_context_mgr };
 allow unconfineddomain property_type:property_service set;

vold.te

@@ -4,71 +4,4 @@ permissive vold;
 type vold_exec, exec_type, file_type;
 
 init_daemon_domain(vold)
-typeattribute vold mlstrustedsubject;
-allow vold system_file:file x_file_perms;
-allow vold block_device:dir create_dir_perms;
-allow vold block_device:blk_file create_file_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton;
-allow vold sdcard_type:filesystem { mount remount unmount };
-allow vold sdcard_type:dir create_dir_perms;
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket *;
-allow vold app_data_file:dir search;
-allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file rw_file_perms;
-allow vold dm_device:chr_file rw_file_perms;
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace };
-# Grant vold the capability to reboot the system
-allow vold self:capability { sys_boot };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-write_klog(vold)
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Set property.
-unix_socket_connect(vold, property, init)
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Request AES module.
-allow vold kernel:system module_request;
-
-# Write to /proc/sysrq-trigger
-# XXX Label with a distinct type?
-allow vold proc:file write;
-
-# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { create rw_dir_perms mounton };
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# Property Service
-allow vold vold_prop:property_service set;
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr };
-allow vold asec_apk_file:file { r_file_perms setattr };
+unconfined_domain(vold)

watchdogd.te

@@ -1,9 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
 permissive watchdogd;
-allow watchdogd rootfs:file { entrypoint r_file_perms };
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-# because of /dev/__kmsg__ and /dev/__null__
-allow watchdogd device:chr_file create_file_perms;
+unconfined_domain(watchdogd)

wpa_supplicant.te

@@ -4,18 +4,5 @@ permissive wpa;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)
-allow wpa kernel:system module_request;
-allow wpa self:capability { setuid net_admin setgid net_raw };
-allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket *;
-allow wpa self:netlink_socket *;
-allow wpa self:packet_socket *;
-allow wpa self:udp_socket *;
-allow wpa wifi_data_file:dir create_dir_perms;
-allow wpa wifi_data_file:file create_file_perms;
-unix_socket_send(wpa, system_wpa, system)
-allow wpa random_device:chr_file r_file_perms;
-
-# Create a socket for receiving info from wpa
+unconfined_domain(wpa)
 type_transition wpa wifi_data_file:sock_file wpa_socket;
-allow wpa wpa_socket:sock_file create_file_perms;

zygote.te

@@ -1,44 +1,7 @@
 # zygote
 type zygote, domain;
-permissive zygote;
 type zygote_exec, exec_type, file_type;
 
+permissive zygote;
 init_daemon_domain(zygote)
-typeattribute zygote mlstrustedsubject;
-# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
-# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
-# Switch SELinux context to app domains.
-allow zygote system:process dyntransition;
-allow zygote appdomain:process dyntransition;
-# Move children into the peer process group.
-allow zygote system:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-# Write to system data.
-allow zygote system_data_file:dir rw_dir_perms;
-allow zygote system_data_file:file create_file_perms;
-allow zygote dalvikcache_data_file:dir rw_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-# Execute dexopt.
-allow zygote system_file:file x_file_perms;
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote self:capability sys_admin;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
-
-# Setting up /storage/emulated.
-allow zygote rootfs:dir mounton;
-allow zygote sdcard_type:dir { write search setattr create add_name mounton };
-dontaudit zygote self:capability fsetid;
-allow zygote tmpfs:dir { write create add_name setattr mounton search };
-allow zygote tmpfs:filesystem mount;
-allow zygote labeledfs:filesystem remount;
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
+unconfined_domain(zygote)