Move domain_deprecated into private policy

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3)

private/attributes

@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;

private/clatd.te

@@ -1 +1,2 @@
 typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;

private/dex2oat.te

@@ -1 +1,2 @@
 typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;

private/dhcp.te

@@ -1,4 +1,5 @@
 typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
 
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;

private/domain_deprecated.te

@@ -37,7 +37,6 @@ auditallow {
   domain_deprecated
   -fsck
   -fsck_untrusted
-  -rild
   -sdcardd
   -system_server
   -update_engine
@@ -47,7 +46,6 @@ auditallow {
   domain_deprecated
   -fsck
   -fsck_untrusted
-  -rild
   -system_server
   -vold
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -56,7 +54,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger
@@ -70,7 +67,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger
@@ -84,7 +80,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger

private/dumpstate.te

@@ -1,4 +1,5 @@
 typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
 
 init_daemon_domain(dumpstate)
 

private/fingerprintd.te

@@ -1,3 +1,4 @@
 typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
 
 init_daemon_domain(fingerprintd)

private/fsck.te

@@ -1,3 +1,4 @@
 typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
 
 init_daemon_domain(fsck)

private/fsck_untrusted.te

@@ -1 +1,2 @@
 typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;

private/installd.te

@@ -1,4 +1,5 @@
 typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
 
 init_daemon_domain(installd)
 

private/keystore.te

@@ -1,3 +1,4 @@
 typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
 
 init_daemon_domain(keystore)

private/mtp.te

@@ -1,3 +1,4 @@
 typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
 
 init_daemon_domain(mtp)

private/netd.te

@@ -1,4 +1,5 @@
 typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
 
 init_daemon_domain(netd)
 

private/perfprofd.te

@@ -1,4 +1,5 @@
 userdebug_or_eng(`
   typeattribute perfprofd coredomain;
+  typeattribute perfprofd domain_deprecated;
   init_daemon_domain(perfprofd)
 ')

private/ppp.te

@@ -1,3 +1,4 @@
 typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
 
 domain_auto_trans(mtp, ppp_exec, ppp)

private/radio.te

@@ -1,4 +1,5 @@
 typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
 
 app_domain(radio)
 

private/recovery.te

@@ -1 +1,2 @@
 typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;

private/runas.te

@@ -1,4 +1,5 @@
 typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)

private/sdcardd.te

@@ -1,3 +1,4 @@
 typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
 
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;

private/shared_relro.te

@@ -1,4 +1,5 @@
 typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
 
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.

private/ueventd.te

@@ -1,3 +1,4 @@
 typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
 
 tmpfs_domain(ueventd)

private/uncrypt.te

@@ -1,3 +1,4 @@
 typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
 
 init_daemon_domain(uncrypt)

private/update_engine.te

@@ -1,3 +1,4 @@
 typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
 
 init_daemon_domain(update_engine);

private/vold.te

@@ -1,4 +1,5 @@
 typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
 
 init_daemon_domain(vold)
 

public/attributes

@@ -10,16 +10,6 @@ attribute dev_type;
 # All types used for processes.
 attribute domain;
 
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
 # All types used for filesystems.
 # On change, update CHECK_FC_ASSERT_ATTRS
 # definition in tools/checkfc.c.

public/clatd.te

@@ -1,5 +1,5 @@
 # 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
 type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)

public/dex2oat.te

@@ -1,5 +1,5 @@
 # dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
 type dex2oat_exec, exec_type, file_type;
 
 r_dir_file(dex2oat, apk_data_file)

public/dhcp.te

@@ -1,4 +1,4 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 

public/fingerprintd.te

@@ -1,4 +1,4 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
 type fingerprintd_exec, exec_type, file_type;
 
 binder_use(fingerprintd)

public/fsck.te

@@ -1,5 +1,5 @@
 # Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
 type fsck_exec, exec_type, file_type;
 
 # /dev/__null__ created by init prior to policy load,

public/fsck_untrusted.te

@@ -1,5 +1,5 @@
 # Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
 
 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

public/installd.te

@@ -1,5 +1,5 @@
 # installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };

public/keystore.te

@@ -1,4 +1,4 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon

public/mtp.te

@@ -1,5 +1,5 @@
 # vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
 type mtp_exec, exec_type, file_type;
 
 net_domain(mtp)

public/netd.te

@@ -1,5 +1,5 @@
 # network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
+type netd, domain, mlstrustedsubject;
 type netd_exec, exec_type, file_type;
 
 net_domain(netd)

public/perfprofd.te

@@ -4,7 +4,6 @@ type perfprofd_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  typeattribute perfprofd domain_deprecated;
   typeattribute perfprofd coredomain;
   typeattribute perfprofd mlstrustedsubject;
 

public/ppp.te

@@ -1,5 +1,5 @@
 # Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 

public/radio.te

@@ -1,5 +1,5 @@
 # phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
+type radio, domain, mlstrustedsubject;
 
 net_domain(radio)
 bluetooth_domain(radio)

public/recovery.te

@@ -2,7 +2,7 @@
 
 # Declare the domain unconditionally so we can always reference it
 # in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
 
 # But the allow rules are only included in the recovery policy.
 # Otherwise recovery is only allowed the domain rules.

public/rild.te

@@ -1,5 +1,5 @@
 # rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
+type rild, domain;
 hal_server_domain(rild, hal_telephony)
 
 net_domain(rild)

public/runas.te

@@ -1,4 +1,4 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
 allow runas adbd:fd use;

public/sdcardd.te

@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
 type sdcardd_exec, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;

public/shared_relro.te

@@ -1,5 +1,5 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;
 
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;

public/tee.te

@@ -1,7 +1,7 @@
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain, domain_deprecated;
+type tee, domain;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;

public/ueventd.te

@@ -1,6 +1,6 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;
 
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;

public/uncrypt.te

@@ -1,5 +1,5 @@
 # uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
 allow uncrypt self:capability dac_override;

public/update_engine.te

@@ -1,5 +1,5 @@
 # Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 

public/vold.te

@@ -1,5 +1,5 @@
 # volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
 type vold_exec, exec_type, file_type;
 
 # Read already opened /cache files.