Make all domains unconfined.

This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
author: repo sync <gcondra@google.com> 2013-05-17 17:11:29 -0700
committer: repo sync <gcondra@google.com> 2013-05-20 11:08:05 -0700
commit: 77d4731e9d30c8971e076e2469d6957619019921 (patch)
tree: a09ca764a3474bfaf20c0aafee0bf3a907d382fe /tee.te
parent: 42cabf341c8a600a218023ec69b3518e3d3d482c (diff)
download: android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.gz
android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.bz2
android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.zip
1 files changed, 2 insertions, 6 deletions
diff --git a/tee.te b/tee.te
index dad3505..79f8d13 100644
--- a/tee.te
+++ b/tee.te
@@ -2,14 +2,10 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
-permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
+permissive tee;
+unconfined_domain(netd)
 init_daemon_domain(tee)
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir { getattr write add_name };
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket { create bind read };
author	repo sync <gcondra@google.com>	2013-05-17 17:11:29 -0700
committer	repo sync <gcondra@google.com>	2013-05-20 11:08:05 -0700
commit	77d4731e9d30c8971e076e2469d6957619019921 (patch)
tree	a09ca764a3474bfaf20c0aafee0bf3a907d382fe /tee.te
parent	42cabf341c8a600a218023ec69b3518e3d3d482c (diff)
download	android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.gz android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.tar.bz2 android_external_sepolicy-77d4731e9d30c8971e076e2469d6957619019921.zip