Make all domains unconfined.

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

1 files changed, 1 insertions, 26 deletions

diff --git a/drmserver.te b/drmserver.te
index 79f8613..c9fc5f6 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -4,29 +4,4 @@ permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
-typeattribute drmserver mlstrustedsubject;
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system)
-binder_call(drmserver, appdomain)
-binder_service(drmserver)
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-# Talk to the tee
-allow drmserver tee:unix_stream_socket { connectto };
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
-allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver app_data_file:file { read write getattr };
-allow drmserver apk_data_file:dir { write add_name remove_name };
-allow drmserver apk_data_file:sock_file { create setattr unlink };
-allow drmserver sdcard_type:file { read write getattr };
-allow drmserver efs_file:file { open read getattr };
+unconfined_domain(drmserver)