This reverts commit d4785c37.

Temporarily revert to fix crosshatch.

Test: crosshatch now builds

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

Exclude vendor processes.

Bug: 69309298
Test: cts-tradefed run cts -m CtsCompilationTestCases
    completed in 33s. 5 passed, 0 failed
Test: runtest frameworks-services -c \
    com.android.server.pm.dex.DexoptOptionsTests \
    --install=".*FrameworksServicesTests.apk"
    OK (5 tests)

Change-Id: Ic02caf373e2214b4b931a724ca8d4f4effbc0741

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

The use of SIOCATMARK is not recommended per rfc6093.

This ioctl is not currently allowed on Android. Add a neverallowxperm
statement (compile time assertion + CTS test) to ensure this never
regresses.

Bug: 68014825
Test: policy compiles.
Change-Id: I41272a0cb157ac9aa38c8e67aabb8385403815f9

"append" has almost the same behavior as "write".

Test: policy compiles.
Change-Id: I3f85108e7918766f07e03f74c3f1d8e8084042b3

Duplicate of "allow domain su:fd use;"

Test: policy compiles.
Change-Id: I81d86a8b325d619d3ecc9450a011d6646605cab9

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

This reverts commit b5dd44b1.

Bug: 65206688

Change-Id: I00431ae7834a562e34e8959446d84a0077834091

screencap domain needs additional permissions for
dumpstate to dump screenshots.

Test: adb shell cmd activity bug-report
Bug: 65206688
Change-Id: I824f345fd90d286454d570576c5888d7719c4c5c

Iot would like to allow bootanim to load libraries from /oem but in order for
device-specfic sepolicies to grant exec this global restriction needs to
be relaxed.

Bug: 37992717
Test: Tested with Iot sepolicies in effect and bootanim can exec.
Change-Id: I6462bf510562eb3fb06304e50b68fba05d37b285

This is needed to retain app's previous access to
/sys/devices/system/cpu. When these files were previously
labeled in file_contexts, symlinks were labeled as
sysfs_devices_system_cpu. When labeling was moved to genfs_contexts
symlinks all have the default sysfs label.

avc: denied { getattr } for comm="main"
path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589
Bug: 64270911
Test: build aosp_marlin
(cherry picked from commit 8d021a94)

This is needed to retain app's previous access to
/sys/devices/system/cpu. When these files were previously
labeled in file_contexts, symlinks were labeled as
sysfs_devices_system_cpu. When labeling was moved to genfs_contexts
symlinks all have the default sysfs label.

avc: denied { getattr } for comm="main"
path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589
Bug: 64270911
Test: build aosp_marlin

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/



Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717

Configstore HAL uses a seccomp filter which blocks the standard
path of execing crash_dump to collect crash data. Add permission
to use crash_dump's fallback mechanism.

Allowing configstore to write to the socket provided by tombstoned
required either exempting configstore from a neverallow rule, or
removing the neverallow rule entirely. Since the neverallow rule
could potentially prevent partners for doing security hardening,
it has been removed.

Bug: 64768925
Bug: 36453956

Test: killall -ABRT android.hardware.configstore@1.1-service
    Results in a call stack in logcat, and tombstone in
    /data/tombstones
Test: configstore runs without crashing
Test: SANITIZE_TARGET="address coverage" make vts -j64
    vts-tradefedrun commandAndExit vts --skip-all-system-status-check \
    -primary-abi-only --skip-preconditions -l VERBOSE --module \
    VtsHalConfigstoreV1_0IfaceFuzzer

Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6
(cherry picked from commit 9924d782)

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/



Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>

Configstore HAL uses a seccomp filter which blocks the standard
path of execing crash_dump to collect crash data. Add permission
to use crash_dump's fallback mechanism.

Allowing configstore to write to the socket provided by tombstoned
required either exempting configstore from a neverallow rule, or
removing the neverallow rule entirely. Since the neverallow rule
could potentially prevent partners for doing security hardening,
it has been removed.

Bug: 64768925
Bug: 36453956

Test: killall -ABRT android.hardware.configstore@1.1-service
    Results in a call stack in logcat, and tombstone in
    /data/tombstones
Test: configstore runs without crashing
Test: SANITIZE_TARGET="address coverage" make vts -j64
    vts-tradefedrun commandAndExit vts --skip-all-system-status-check \
    -primary-abi-only --skip-preconditions -l VERBOSE --module \
    VtsHalConfigstoreV1_0IfaceFuzzer

Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6

Prevent files in /proc from incorrectly having sysfs_type attribute.

Rework neverallows so that ueventd has write access to all of
/sys which it needs to handle uevents.

Bug: 63147833
Test: Build. Flash angler, verify files are correctly labeled and no
    new denials are in the logs.

Change-Id: Ib94d44e78cee0e83e2ac924f1c72e611e8e73558

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

NOTE: This change is marked dnma because we don't want it on
oc-dr1-dev-plus-aosp or any other downstream branch. Moreover,
oc-dr1-dev-plus-aosp is the only outgoing merger from oc-dr1-dev for
this project.

This reverts commit 11bfcc1e.

Bug: 62908344
Test: make
Change-Id: Ide61829cf99f15777c46f657a0e140d594f88243

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: I47b4e79260bcd2967d85d8151c83e624d432f409

This reverts commit 527f64e6.

Change-Id: Ibc48af53431a8f7c7211999dcb571f492fb5ddb4

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: Ia57dbbc3987d8858c932103c4e546cbb88893207

This is sometimes used for communication with the bootloader.

Bug: 62052545
Test: Build
Change-Id: I3ae37793407719e55ab0830129aa569c9018f7da

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

With build/core eaa9d88cf, system_server should not be loading code
from /data.

https://bugs.chromium.org/p/project-zero/issues/detail?id=955

Bug: 37214733
Bug: 31780877
Test: Device boots and no obvious problems.
Test: No collected SELinux denials for build-server generated builds.
Change-Id: I37b1e9e6c4555c937730ab491b6c38801b38ad38

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d