commit dea9ae7aa35e9d0cda123433a5074055abe4ce83
author Jeff Vander Stoep <jeffv@google.com> Fri May 20 10:15:14 2016 -0700
committer Jeff Vander Stoep <jeffv@google.com> Fri May 20 10:15:14 2016 -0700
tree 894c7f2cf027a23847d66ab562e70a7812a9e10a
parent acfa0271b6b26a00f019c157b0d0051e411182b4

deprecate domain_deprecated

Move device specific policy to a local device_domain_deprecated attribute
to focus effort on core policy.

Bug: 28760354
Change-Id: Id08cc74a3a2c7b8ff242b3c6f26bd514e6855a48

sepolicy/atfwd.te

diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index 069a97b..a157184 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -1,4 +1,4 @@
-type atfwd, domain, domain_deprecated;
+type atfwd, domain, device_domain_deprecated;
 type atfwd_exec, exec_type, file_type;
 
 # Started by init

sepolicy/attributes

diff --git a/sepolicy/attributes b/sepolicy/attributes
new file mode 100644
index 0000000..d140949
--- /dev/null
+++ b/sepolicy/attributes
@@ -0,0 +1,4 @@
+# domain_deprecated attribute is being removed from core policy. Leave it
+# in device-specific policy for device-specific domains. Unlike core policy,
+# device-specific policy will eventually be deprecated.
+attribute device_domain_deprecated;

sepolicy/bullhead-sh.te

diff --git a/sepolicy/bullhead-sh.te b/sepolicy/bullhead-sh.te
index d18ee50..0ca91d7 100644
--- a/sepolicy/bullhead-sh.te
+++ b/sepolicy/bullhead-sh.te
@@ -1,4 +1,4 @@
-type bullhead-sh, domain, domain_deprecated;
+type bullhead-sh, domain, device_domain_deprecated;
 type bullhead-sh_exec, exec_type, file_type;
 
 # Started by init

sepolicy/camera.te

diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index cfc5472..e62310b 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -1,5 +1,5 @@
 # Qualcomm MSM camera
-type camera, domain, domain_deprecated;
+type camera, domain, device_domain_deprecated;
 type camera_exec, exec_type, file_type;
 
 init_daemon_domain(camera)

sepolicy/cnd.te

diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index f245f43..abe2de0 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,5 +1,5 @@
 # Connectivity Engine Observer Interface daemon (cnd)
-type cnd, domain, domain_deprecated;
+type cnd, domain, device_domain_deprecated;
 type cnd_exec, exec_type, file_type;
 
 init_daemon_domain(cnd)

sepolicy/cnss_diag.te

diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index 5c10ced..1ae6939 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -1,7 +1,7 @@
 type cnss_diag_exec, exec_type, file_type;
 
 userdebug_or_eng(`
-  type cnss_diag, domain, domain_deprecated;
+  type cnss_diag, domain, device_domain_deprecated;
 
   init_daemon_domain(cnss_diag)
 

sepolicy/device_domain_deprecated.te

diff --git a/sepolicy/device_domain_deprecated.te b/sepolicy/device_domain_deprecated.te
new file mode 100644
index 0000000..bbe0b71
--- /dev/null
+++ b/sepolicy/device_domain_deprecated.te
@@ -0,0 +1,36 @@
+allow device_domain_deprecated adbd:unix_stream_socket connectto;
+allow device_domain_deprecated adbd:fd use;
+allow device_domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow device_domain_deprecated rootfs:dir r_dir_perms;
+allow device_domain_deprecated rootfs:file r_file_perms;
+allow device_domain_deprecated rootfs:lnk_file r_file_perms;
+allow device_domain_deprecated device:file read;
+allow device_domain_deprecated system_file:dir r_dir_perms;
+allow device_domain_deprecated system_file:file r_file_perms;
+allow device_domain_deprecated system_file:lnk_file r_file_perms;
+allow device_domain_deprecated system_data_file:file { getattr read };
+allow device_domain_deprecated system_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated apk_data_file:dir { getattr search };
+allow device_domain_deprecated apk_data_file:file r_file_perms;
+allow device_domain_deprecated apk_data_file:lnk_file r_file_perms;
+allow device_domain_deprecated dalvikcache_data_file:dir { search getattr };
+allow device_domain_deprecated dalvikcache_data_file:file r_file_perms;
+allow device_domain_deprecated cache_file:dir r_dir_perms;
+allow device_domain_deprecated cache_file:file { getattr read };
+allow device_domain_deprecated cache_file:lnk_file r_file_perms;
+allow device_domain_deprecated ion_device:chr_file rw_file_perms;
+allow device_domain_deprecated proc:dir r_dir_perms;
+allow device_domain_deprecated proc:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated sysfs:dir r_dir_perms;
+allow device_domain_deprecated sysfs:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated inotify:dir r_dir_perms;
+allow device_domain_deprecated inotify:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated cgroup:dir r_dir_perms;
+allow device_domain_deprecated cgroup:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated proc_meminfo:file r_file_perms;
+allow device_domain_deprecated proc_net:dir r_dir_perms;
+allow device_domain_deprecated proc_net:{ file lnk_file } r_file_perms;
+allow device_domain_deprecated selinuxfs:dir r_dir_perms;
+allow device_domain_deprecated selinuxfs:file r_file_perms;
+allow device_domain_deprecated asec_public_file:file r_file_perms;
+allow device_domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;

sepolicy/ims.te

diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 988c9b6..47b5145 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1,5 +1,5 @@
 # For IP Multimedia Subsystem(IMS) functionality
-type ims, domain, domain_deprecated;
+type ims, domain, device_domain_deprecated;
 type ims_exec, exec_type, file_type;
 
 # Started by init

sepolicy/init-power-sh.te

diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
index 38521ba..8a71db8 100644
--- a/sepolicy/init-power-sh.te
+++ b/sepolicy/init-power-sh.te
@@ -1,4 +1,4 @@
-type init-power-sh, domain, domain_deprecated;
+type init-power-sh, domain, device_domain_deprecated;
 type init-power-sh_exec, exec_type, file_type;
 
 init_daemon_domain(init-power-sh)

sepolicy/irsc_util.te

diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te
index 0b93d98..4da6f6a 100644
--- a/sepolicy/irsc_util.te
+++ b/sepolicy/irsc_util.te
@@ -1,4 +1,4 @@
-type irsc_util, domain, domain_deprecated;
+type irsc_util, domain, device_domain_deprecated;
 type irsc_util_exec, exec_type, file_type;
 init_daemon_domain(irsc_util)
 

sepolicy/location.te

diff --git a/sepolicy/location.te b/sepolicy/location.te
index f62c02e..0249729 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -1,5 +1,5 @@
 # loc_launcher service
-type location, domain, domain_deprecated;
+type location, domain, device_domain_deprecated;
 type location_exec, exec_type, file_type;
 
 init_daemon_domain(location)

sepolicy/msm_irqbalanced.te

diff --git a/sepolicy/msm_irqbalanced.te b/sepolicy/msm_irqbalanced.te
index b3c8392..6e3730f 100644
--- a/sepolicy/msm_irqbalanced.te
+++ b/sepolicy/msm_irqbalanced.te
@@ -1,4 +1,4 @@
-type msm_irqbalanced, domain, domain_deprecated;
+type msm_irqbalanced, domain, device_domain_deprecated;
 type msm_irqbalanced_exec, exec_type, file_type;
 init_daemon_domain(msm_irqbalanced)
 

sepolicy/netmgrd.te

diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 20a3535..5a1d0f5 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,5 +1,5 @@
 # Network utilities (radio process)
-type netmgrd, domain, domain_deprecated;
+type netmgrd, domain, device_domain_deprecated;
 type netmgrd_exec, exec_type, file_type;
 
 # Uses network sockets.

sepolicy/perfd.te

diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index 8c804ce..d269c4f 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -1,4 +1,4 @@
-type perfd, domain, domain_deprecated;
+type perfd, domain, device_domain_deprecated;
 type perfd_exec, exec_type, file_type;
 
 init_daemon_domain(perfd)

sepolicy/peripheral_manager.te

diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te
index 395155d..fd78f5e 100644
--- a/sepolicy/peripheral_manager.te
+++ b/sepolicy/peripheral_manager.te
@@ -1,6 +1,6 @@
 #Policy for peripheral_manager
 #per_mgr - peripheral_manager domain
-type per_mgr, domain, domain_deprecated;
+type per_mgr, domain, device_domain_deprecated;
 
 type per_mgr_exec, exec_type, file_type;
 init_daemon_domain(per_mgr);

sepolicy/qmux.te

diff --git a/sepolicy/qmux.te b/sepolicy/qmux.te
index fdd31e5..1c69706 100644
--- a/sepolicy/qmux.te
+++ b/sepolicy/qmux.te
@@ -1,5 +1,5 @@
 # Qualcomm Management Interface Multiplexer
-type qmux, domain, domain_deprecated;
+type qmux, domain, device_domain_deprecated;
 type qmux_exec, exec_type, file_type;
 net_domain(qmux)
 

sepolicy/qti.te

diff --git a/sepolicy/qti.te b/sepolicy/qti.te
index 732d7c0..dfebb73 100644
--- a/sepolicy/qti.te
+++ b/sepolicy/qti.te
@@ -1,5 +1,5 @@
 # Policy for qti
-type qti, domain, domain_deprecated;
+type qti, domain, device_domain_deprecated;
 type qti_exec, exec_type, file_type;
 
 # Started by init

sepolicy/rmt.te

diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index e4c4b09..8c91f55 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -1,5 +1,5 @@
 # remote storage process (runs as nobody)
-type rmt, domain, domain_deprecated;
+type rmt, domain, device_domain_deprecated;
 type rmt_exec, exec_type, file_type;
 
 # Started by init

sepolicy/sensortool.te

diff --git a/sepolicy/sensortool.te b/sepolicy/sensortool.te
index 04e39f9..4bdb9e2 100644
--- a/sepolicy/sensortool.te
+++ b/sepolicy/sensortool.te
@@ -1,4 +1,4 @@
-type sensortool, domain, domain_deprecated;
+type sensortool, domain, device_domain_deprecated;
 type sensortool_exec, exec_type, file_type;
 
 init_daemon_domain(sensortool)

sepolicy/ssr.te

diff --git a/sepolicy/ssr.te b/sepolicy/ssr.te
index f9be021..6763d7e 100644
--- a/sepolicy/ssr.te
+++ b/sepolicy/ssr.te
@@ -1,4 +1,4 @@
-type ssr, domain, domain_deprecated;
+type ssr, domain, device_domain_deprecated;
 type ssr_exec, exec_type, file_type;
 
 # Started by init

sepolicy/start_hci_filter.te

diff --git a/sepolicy/start_hci_filter.te b/sepolicy/start_hci_filter.te
index e46440b..2bc69ec 100644
--- a/sepolicy/start_hci_filter.te
+++ b/sepolicy/start_hci_filter.te
@@ -1,5 +1,5 @@
 #Policy for start_hci_filter
-type start_hci_filter, domain, domain_deprecated;
+type start_hci_filter, domain, device_domain_deprecated;
 type start_hci_filter_exec, exec_type, file_type;
 
 init_daemon_domain(start_hci_filter);

sepolicy/thermal-engine.te

diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 3aea48b..e89d09a 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -1,5 +1,5 @@
 # Temperature sensor daemon (root process)
-type thermal-engine, domain, domain_deprecated;
+type thermal-engine, domain, device_domain_deprecated;
 type thermal-engine_exec, exec_type, file_type;
 
 # Started by init

sepolicy/time_daemon.te

diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index 90a66cd..a4c4c2b 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1,5 +1,5 @@
 # Policies for time daemon
-type time_daemon, domain, domain_deprecated;
+type time_daemon, domain, device_domain_deprecated;
 type time_daemon_exec, exec_type, file_type;
 type time_data_file, file_type, data_file_type;
 

sepolicy/wcnss_service.te

diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
index c243a09..eb61dd5 100644
--- a/sepolicy/wcnss_service.te
+++ b/sepolicy/wcnss_service.te
@@ -1,4 +1,4 @@
-type wcnss_service, domain, domain_deprecated;
+type wcnss_service, domain, device_domain_deprecated;
 type wcnss_service_exec, exec_type, file_type;
 
 init_daemon_domain(wcnss_service)