deprecate domain_deprecated Move device specific policy to a local device_domain_deprecated attribute to focus effort on core policy. Bug: 28760354 Change-Id: I0cf3dd62d908f4622b19af64b0b09e69fd24efcd

commit: fb007fbbffbdb5cb3612bcf2e2442b3cedcc60ef [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri May 20 09:13:46 2016 -0700
committer: Jeff Vander Stoep <jeffv@google.com> Fri May 20 09:13:46 2016 -0700
tree: 657174ad5c2be9019ca813cdb3b5d0895be9f41a
parent: 43a8625a15cf30f125d82349bdf0e16dd675a917 [diff]
diff --git a/sepolicy/attributes b/sepolicy/attributes
new file mode 100644
index 0000000..d140949
--- /dev/null
+++ b/sepolicy/attributes

@@ -0,0 +1,4 @@
+# domain_deprecated attribute is being removed from core policy. Leave it
+# in device-specific policy for device-specific domains. Unlike core policy,
+# device-specific policy will eventually be deprecated.
+attribute device_domain_deprecated;

diff --git a/sepolicy/crash_collector.te b/sepolicy/crash_collector.te
index 2f941f0..eab0428 100644
--- a/sepolicy/crash_collector.te
+++ b/sepolicy/crash_collector.te

@@ -1,4 +1,4 @@
-type crash_collector, domain, domain_deprecated;
+type crash_collector, domain, device_domain_deprecated;
 type crash_collector_exec, exec_type, file_type;
 type crash_reports_data_file, file_type, data_file_type;
 

diff --git a/sepolicy/crash_collector_app.te b/sepolicy/crash_collector_app.te
index 166ec1a..194b65b 100644
--- a/sepolicy/crash_collector_app.te
+++ b/sepolicy/crash_collector_app.te

@@ -1,4 +1,4 @@
-type crash_collector_app, domain, domain_deprecated;
+type crash_collector_app, domain, device_domain_deprecated;
 
 # com.google.android.crashuploader runs in the crash_collector_app domain
 app_domain(crash_collector_app)

diff --git a/sepolicy/device_domain_deprecated.te b/sepolicy/device_domain_deprecated.te
new file mode 100644
index 0000000..bbe0b71
--- /dev/null
+++ b/sepolicy/device_domain_deprecated.te

@@ -0,0 +1,36 @@
+allow device_domain_deprecated adbd:unix_stream_socket connectto;
+allow device_domain_deprecated adbd:fd use;
+allow device_domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow device_domain_deprecated rootfs:dir r_dir_perms;
+allow device_domain_deprecated rootfs:file r_file_perms;
+allow device_domain_deprecated rootfs:lnk_file r_file_perms;
+allow device_domain_deprecated device:file read;
+allow device_domain_deprecated system_file:dir r_dir_perms;
+allow device_domain_deprecated system_file:file r_file_perms;
+allow device_domain_deprecated system_file:lnk_file r_file_perms;
+allow device_domain_deprecated system_data_file:file { getattr read };
+allow device_domain_deprecated system_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated apk_data_file:dir { getattr search };
+allow device_domain_deprecated apk_data_file:file r_file_perms;
+allow device_domain_deprecated apk_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated dalvikcache_data_file:dir { search getattr };
+allow device_domain_deprecated dalvikcache_data_file:file r_file_perms;
+allow device_domain_deprecated cache_file:dir r_dir_perms;
+allow device_domain_deprecated cache_file:file { getattr read };
+allow device_domain_deprecated cache_file:lnk_file r_file_perms;
+allow device_domain_deprecated ion_device:chr_file rw_file_perms;
+allow device_domain_deprecated proc:dir r_dir_perms;
+allow device_domain_deprecated proc:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated sysfs:dir r_dir_perms;
+allow device_domain_deprecated sysfs:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated inotify:dir r_dir_perms;
+allow device_domain_deprecated inotify:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated cgroup:dir r_dir_perms;
+allow device_domain_deprecated cgroup:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated proc_meminfo:file r_file_perms;
+allow device_domain_deprecated proc_net:dir r_dir_perms;
+allow device_domain_deprecated proc_net:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated selinuxfs:dir r_dir_perms;
+allow device_domain_deprecated selinuxfs:file r_file_perms;
+allow device_domain_deprecated asec_public_file:file r_file_perms;
+allow device_domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;

diff --git a/sepolicy/dump_bq25892.te b/sepolicy/dump_bq25892.te
index 2812862..286de95 100644
--- a/sepolicy/dump_bq25892.te
+++ b/sepolicy/dump_bq25892.te

@@ -1,6 +1,6 @@
 # permissions for /system/bin/dump_bq25892.sh
 # which is used to debug information about the state of the charger chip
-type dump_bq25892, domain, domain_deprecated;
+type dump_bq25892, domain, device_domain_deprecated;
 type dump_bq25892_exec, exec_type, file_type;
 type fw_logs_data_file, file_type, data_file_type;
 

diff --git a/sepolicy/fwtool.te b/sepolicy/fwtool.te
index 39bc4d1..04f4d66 100644
--- a/sepolicy/fwtool.te
+++ b/sepolicy/fwtool.te

@@ -1,5 +1,5 @@
 # permissions for /system/bin/fwtool
-type fwtool, domain, domain_deprecated;
+type fwtool, domain, device_domain_deprecated;
 type fwtool_exec, exec_type, file_type;
 
 init_daemon_domain(fwtool)

diff --git a/sepolicy/locale.te b/sepolicy/locale.te
index 4531414..3a349a1 100644
--- a/sepolicy/locale.te
+++ b/sepolicy/locale.te

@@ -1,6 +1,6 @@
 # init_regions.sh reads region from vpd and sets
 # ro.product.locale property
-type locale, domain, domain_deprecated;
+type locale, domain, device_domain_deprecated;
 type locale_exec, exec_type, file_type;
 
 init_daemon_domain(locale)

diff --git a/sepolicy/rmi4update.te b/sepolicy/rmi4update.te
index 0f86c21..9ea2d39 100644
--- a/sepolicy/rmi4update.te
+++ b/sepolicy/rmi4update.te

@@ -1,5 +1,5 @@
 # init runs /system/bin/touchfwup.sh which runs rmi4update
-type rmi4update, domain, domain_deprecated;
+type rmi4update, domain, device_domain_deprecated;
 type rmi4update_exec, exec_type, file_type;
 
 init_daemon_domain(rmi4update)

diff --git a/sepolicy/thermal_gov.te b/sepolicy/thermal_gov.te
index ffaef81..61425c0 100644
--- a/sepolicy/thermal_gov.te
+++ b/sepolicy/thermal_gov.te

@@ -1,5 +1,5 @@
 # permissions for /system/bin/tune-thermal-gov.sh
-type thermal_gov, domain, domain_deprecated;
+type thermal_gov, domain, device_domain_deprecated;
 type thermal_gov_exec, exec_type, file_type;
 
 init_daemon_domain(thermal_gov)

diff --git a/sepolicy/touch_fw_update.te b/sepolicy/touch_fw_update.te
index 7829649..2f62e04 100644
--- a/sepolicy/touch_fw_update.te
+++ b/sepolicy/touch_fw_update.te

@@ -1,5 +1,5 @@
 # init runs /system/bin/touchfwup.sh
-type touch_fw_update, domain, domain_deprecated;
+type touch_fw_update, domain, device_domain_deprecated;
 type touch_fw_update_exec, exec_type, file_type;
 type touch_fw_update_log_file, file_type, data_file_type;
commit	fb007fbbffbdb5cb3612bcf2e2442b3cedcc60ef	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri May 20 09:13:46 2016 -0700
committer	Jeff Vander Stoep <jeffv@google.com>	Fri May 20 09:13:46 2016 -0700
tree	657174ad5c2be9019ca813cdb3b5d0895be9f41a
parent	43a8625a15cf30f125d82349bdf0e16dd675a917 [diff]