sepolicy: make all exec_types a subset of vendor_file_type
Vendor specific files installed by device/XXX/YYY in /vendor MUST be
a subset of 'vendor_file_type'. This is to make sure the rules degined
in the platform policy for 'vendor_file_type' work appropriately.
Bug: 36463595
Test: Boot sailfish without any new denials
Change-Id: I39b0aebe5c2585cfc186088f7d594cb70ff7918d
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te
index cca3ce6..765118f 100644
--- a/sepolicy/adsprpcd.te
+++ b/sepolicy/adsprpcd.te
@@ -1,5 +1,5 @@
type adsprpcd, domain;
-type adsprpcd_exec, exec_type, file_type;
+type adsprpcd_exec, exec_type, vendor_file_type, file_type;
type adsprpcd_device, dev_type;
# Started by init
diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index 780e967..6f2caa5 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -1,5 +1,5 @@
type atfwd, domain;
-type atfwd_exec, exec_type, file_type;
+type atfwd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(atfwd)
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index 1477eb7..f1b9f22 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -1,5 +1,5 @@
type camera, domain;
-type camera_exec, exec_type, file_type;
+type camera_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(camera)
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 79a1a4d..2226ecc 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,5 +1,5 @@
type cnd, domain;
-type cnd_exec, exec_type, file_type;
+type cnd_exec, exec_type, vendor_file_type, file_type;
# cnd creates /dev/socket/nims
file_type_auto_trans(cnd, socket_device, cnd_socket);
diff --git a/sepolicy/cnss-daemon.te b/sepolicy/cnss-daemon.te
index 935c714..99faf07 100644
--- a/sepolicy/cnss-daemon.te
+++ b/sepolicy/cnss-daemon.te
@@ -1,6 +1,6 @@
# Policy for /system/bin/cnss-daemon
type cnss-daemon, domain;
-type cnss-daemon_exec, exec_type, file_type;
+type cnss-daemon_exec, exec_type, vendor_file_type, file_type;
allow cnss-daemon self:capability {
net_bind_service
diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index faf164b..2dc3dc6 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/cnss_diag
type cnss_diag, domain;
-type cnss_diag_exec, exec_type, file_type;
+type cnss_diag_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(cnss_diag)
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 3bc0bad..63651d8 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -2,7 +2,7 @@
type hal_drm_widevine, domain;
hal_server_domain(hal_drm_widevine, hal_drm)
-type hal_drm_widevine_exec, exec_type, file_type;
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine)
# TODO(b/36576915): Remove this once Widevine-backed DRM HAL stops using Binder services,
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
index 6c7cd89..4d70606 100644
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -1,7 +1,7 @@
type hal_dumpstate_impl, domain;
hal_server_domain(hal_dumpstate_impl, hal_dumpstate)
-type hal_dumpstate_impl_exec, exec_type, file_type;
+type hal_dumpstate_impl_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dumpstate_impl)
# Execute dump scripts
diff --git a/sepolicy/hrdump.te b/sepolicy/hrdump.te
index 3bc5116..2cd5489 100644
--- a/sepolicy/hrdump.te
+++ b/sepolicy/hrdump.te
@@ -1,4 +1,4 @@
-type htc_ramdump_exec, exec_type, file_type;
+type htc_ramdump_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
type htc_ramdump, domain;
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 1dae273..101f88f 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1,6 +1,6 @@
#integrated sensor process
type ims, domain;
-type ims_exec, exec_type, file_type;
+type ims_exec, exec_type, vendor_file_type, file_type;
allow ims self:capability net_bind_service;
diff --git a/sepolicy/imscm.te b/sepolicy/imscm.te
index f57ddd6..ef48b30 100644
--- a/sepolicy/imscm.te
+++ b/sepolicy/imscm.te
@@ -1,6 +1,6 @@
#integrated sensor process
type imscm, domain;
-type imscm_exec, exec_type, file_type;
+type imscm_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(imscm)
diff --git a/sepolicy/init-devstart-sh.te b/sepolicy/init-devstart-sh.te
index 24004d2..8a72587 100644
--- a/sepolicy/init-devstart-sh.te
+++ b/sepolicy/init-devstart-sh.te
@@ -1,5 +1,5 @@
type init-qcom-devstart-sh, domain;
-type init-qcom-devstart-sh_exec, exec_type, file_type;
+type init-qcom-devstart-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init-qcom-devstart-sh)
diff --git a/sepolicy/init_foreground.te b/sepolicy/init_foreground.te
index 0215580..7b33694 100644
--- a/sepolicy/init_foreground.te
+++ b/sepolicy/init_foreground.te
@@ -1,5 +1,5 @@
type init_foreground, domain;
-type init_foreground_exec, exec_type, file_type;
+type init_foreground_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init_foreground)
diff --git a/sepolicy/init_mid.te b/sepolicy/init_mid.te
index 7239469..c9577af 100644
--- a/sepolicy/init_mid.te
+++ b/sepolicy/init_mid.te
@@ -1,5 +1,5 @@
type init_mid, domain;
-type init_mid_exec, exec_type, file_type;
+type init_mid_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init_mid)
diff --git a/sepolicy/init_power.te b/sepolicy/init_power.te
index c7e8e84..bf6bec5 100644
--- a/sepolicy/init_power.te
+++ b/sepolicy/init_power.te
@@ -1,5 +1,5 @@
type init_power, domain;
-type init_power_exec, exec_type, file_type;
+type init_power_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init_power)
diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te
index 79e2548..99786fc 100644
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -1,6 +1,6 @@
# /vendor/bin/init.radio.sh
type init_radio, domain;
-type init_radio_exec, exec_type, file_type;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init_radio)
diff --git a/sepolicy/irqbalance.te b/sepolicy/irqbalance.te
index f4f560a..2bd1566 100644
--- a/sepolicy/irqbalance.te
+++ b/sepolicy/irqbalance.te
@@ -1,5 +1,5 @@
type irqbalance, domain;
-type irqbalance_exec, exec_type, file_type;
+type irqbalance_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(irqbalance);
diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te
index 281eb28..6cc794e 100644
--- a/sepolicy/irsc_util.te
+++ b/sepolicy/irsc_util.te
@@ -1,6 +1,6 @@
# Policy for /system/bin/irsc_util
type irsc_util, domain;
-type irsc_util_exec, exec_type, file_type;
+type irsc_util_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(irsc_util)
diff --git a/sepolicy/location.te b/sepolicy/location.te
index aaa56a0..8d4c120 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -1,6 +1,6 @@
# loc_launcher service
type location, domain;
-type location_exec, exec_type, file_type;
+type location_exec, exec_type, vendor_file_type, file_type;
# STOPSHIP b/28340421
# Temporarily grant this permission and log its use.
diff --git a/sepolicy/mm-pp-daemon.te b/sepolicy/mm-pp-daemon.te
index 02bb5f7..250daa7 100644
--- a/sepolicy/mm-pp-daemon.te
+++ b/sepolicy/mm-pp-daemon.te
@@ -1,5 +1,5 @@
# Policy for /system/bin/mm-pp-dpps
type mm-pp-daemon, domain;
-type mm-pp-daemon_exec, exec_type, file_type;
+type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mm-pp-daemon)
diff --git a/sepolicy/nanoapp_cmd.te b/sepolicy/nanoapp_cmd.te
index 20a1c74..b492e3f 100644
--- a/sepolicy/nanoapp_cmd.te
+++ b/sepolicy/nanoapp_cmd.te
@@ -1,5 +1,5 @@
type nanoapp_cmd, domain;
-type nanoapp_cmd_exec, exec_type, file_type;
+type nanoapp_cmd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(nanoapp_cmd)
diff --git a/sepolicy/nanohub_slpi.te b/sepolicy/nanohub_slpi.te
index 5117872..59c9546 100644
--- a/sepolicy/nanohub_slpi.te
+++ b/sepolicy/nanohub_slpi.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/nanohub_slpi
type nanohub_slpi, domain;
-type nanohub_slpi_exec, exec_type, file_type;
+type nanohub_slpi_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(nanohub_slpi)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 0b9ceb7..92556b0 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/netmgrd
type netmgrd, domain;
-type netmgrd_exec, exec_type, file_type;
+type netmgrd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(netmgrd)
net_domain(netmgrd)
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
index 8d7e773..eb382d1 100644
--- a/sepolicy/per_mgr.te
+++ b/sepolicy/per_mgr.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/pm-service
type per_mgr, domain;
-type per_mgr_exec, exec_type, file_type;
+type per_mgr_exec, exec_type, vendor_file_type, file_type;
allow per_mgr self:capability net_bind_service;
diff --git a/sepolicy/per_proxy.te b/sepolicy/per_proxy.te
index 1c12caa..af14328 100644
--- a/sepolicy/per_proxy.te
+++ b/sepolicy/per_proxy.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/pm-proxy
type per_proxy, domain;
-type per_proxy_exec, exec_type, file_type;
+type per_proxy_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(per_proxy)
diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index 3f0679c..3cb9fb6 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -1,5 +1,5 @@
type perfd, domain;
-type perfd_exec, exec_type, file_type;
+type perfd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(perfd)
diff --git a/sepolicy/port-bridge.te b/sepolicy/port-bridge.te
index 7f65957..7eeba2c 100644
--- a/sepolicy/port-bridge.te
+++ b/sepolicy/port-bridge.te
@@ -1,5 +1,5 @@
type port-bridge, domain;
-type port-bridge_exec, exec_type, file_type;
+type port-bridge_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(port-bridge)
diff --git a/sepolicy/preloads_copy.te b/sepolicy/preloads_copy.te
index 4ee52b9..def1728 100644
--- a/sepolicy/preloads_copy.te
+++ b/sepolicy/preloads_copy.te
@@ -1,5 +1,5 @@
type preloads_copy, domain, coredomain;
-type preloads_copy_exec, exec_type, file_type;
+type preloads_copy_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(preloads_copy)
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index 59d6c4f..c04f72c 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -1,6 +1,6 @@
# Policy for /system/bin/qmuxd
type qmuxd, domain;
-type qmuxd_exec, exec_type, file_type;
+type qmuxd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(qmuxd)
diff --git a/sepolicy/qsee_logger.te b/sepolicy/qsee_logger.te
index 50f9eba..ecf6c61 100644
--- a/sepolicy/qsee_logger.te
+++ b/sepolicy/qsee_logger.te
@@ -1 +1 @@
-type qsee_logger_exec, exec_type, file_type;
+type qsee_logger_exec, exec_type, vendor_file_type, file_type;
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index a49bd21..dc177a1 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -1,6 +1,6 @@
# Policy for /system/bin/rmt_storage
type rmt, domain;
-type rmt_exec, exec_type, file_type;
+type rmt_exec, exec_type, vendor_file_type, file_type;
# STOPSHIP b/28340421
# Temporarily grant this permission and log its use.
diff --git a/sepolicy/smlog_dump.te b/sepolicy/smlog_dump.te
index d6be165..e0d1d27 100644
--- a/sepolicy/smlog_dump.te
+++ b/sepolicy/smlog_dump.te
@@ -1,4 +1,4 @@
-type smlog_dump_exec, exec_type, file_type;
+type smlog_dump_exec, exec_type, vendor_file_type, file_type;
type smlog_dump, domain;
allow smlog_dump smlog_dump_file:dir r_dir_perms;
diff --git a/sepolicy/ssr_setup.te b/sepolicy/ssr_setup.te
index 9eb3d5a..f7b7712 100644
--- a/sepolicy/ssr_setup.te
+++ b/sepolicy/ssr_setup.te
@@ -1,5 +1,5 @@
# Policy for system/bin/ssr_setup
-type ssr_setup_exec, exec_type, file_type;
+type ssr_setup_exec, exec_type, vendor_file_type, file_type;
type ssr_setup, domain;
init_daemon_domain(ssr_setup)
diff --git a/sepolicy/subsystem_ramdump.te b/sepolicy/subsystem_ramdump.te
index 78fed67..9a6e665 100644
--- a/sepolicy/subsystem_ramdump.te
+++ b/sepolicy/subsystem_ramdump.te
@@ -1,5 +1,5 @@
# Policy for vendor/bin/subsystem_ramdump
-type subsystem_ramdump_exec, exec_type, file_type;
+type subsystem_ramdump_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
type subsystem_ramdump, domain;
init_daemon_domain(subsystem_ramdump)
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 841416f..20fa28b 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/thermal-engine
type thermal-engine, domain;
-type thermal-engine_exec, exec_type, file_type;
+type thermal-engine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(thermal-engine)
diff --git a/sepolicy/time.te b/sepolicy/time.te
index e8c596b..297f66b 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -1,6 +1,6 @@
# Policy for /system/bin/time_daemon
type time, domain;
-type time_exec, exec_type, file_type;
+type time_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(time)
diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te
index 279b314..74be430 100644
--- a/sepolicy/wcnss_filter.te
+++ b/sepolicy/wcnss_filter.te
@@ -1,6 +1,6 @@
# Policy for /vendor/bin/wcnss_filter
type wcnss_filter, domain;
-type wcnss_filter_exec, exec_type, file_type;
+type wcnss_filter_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(wcnss_filter)
