Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.

Allow recovery to write to /system. This is needed to apply OTA
images.

Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9

/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4

Allow the shell user to see the dmesg output. This data is already
available via "adb bugreport", but isn't easy to access.

Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177

Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.

Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e

System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain.  Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.

Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 removed
these permissions from domain.te and added them to specific domains
as required.  Remove the permissions from unconfineddomain as well
so that they are only allowed where explicitly allowed.  The earlier
change already added the necessary permissions to init, kernel,
and recovery so we do not need to add them here.

Change-Id: Ifeb5438532a7525e64328e1c54b436e9b6f7fd3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e

Add a compile time assertion that most SELinux domains don't
execute code from outside of the system partition.

Exceptions are listed in the neverallow rule.

Change-Id: I8166e29a269adca11661df3c6cda4448a42ca30d

Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

zygote_secondary talks over a different socket named
/dev/socket/zygote_secondary. Make sure it's properly labeled.

See https://android-review.googlesource.com/89604

Addresses the following denial:

<12>[   48.442004] type=1400 audit(1400801842.179:5): avc:  denied  { write } for  pid=1082 comm="main" name="zygote_secondary" dev="tmpfs" ino=9953 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1

Bug: 13647418
Change-Id: I1ff5f1d614295a5870bb8a3992ad9167e1656c92

On userdebug / eng builds, Android supports the concept of app wrapping.
You can run an app wrapped by another process. This is traditionally used
to run valgrind on apps, looking for memory leaks and other problems.

App wrapping is enabled by running the following command:

  adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind"

Valgrind attempts to mmap exec /system/bin/app_process, which is being denied
by SELinux. Allow app_process exec.

Addresses the following denial:

  <4>[   82.643790] type=1400 audit(16301075.079:26): avc:  denied  { execute } for  pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

Bug: 15146424

Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25

CTS test luni/src/test/java/libcore/java/nio/BufferTest.java function
testDevZeroMapRW() requires us to be able to open /dev/zero in read-write
mode. Allow it.

Change-Id: I2be266875b1d190188376fd84c0996039d3c1524

As far as I know, this is never used. Get rid of it.

Change-Id: Iee0fb4e3f3952a0c4cc28d0aa96ca6c462ba5211

keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f

installd is expected to be handling unlabeled apps. Don't
emit an audit rule when it occurs.

Change-Id: Ia173914ff4d1b8368a18f326494eda8173d30192

On an upgrade from 4.2 to tip-of-tree master, there are still a
number of files which aren't properly labeled. Restore the
unlabeled compat rules until we can get everything properly
labeled. It's not ideal, but it works around the immediate
problem.

After applying https://android-review.googlesource.com/94966 ,
I'm still seeing the following denials.

<4>[   12.040639] type=1400 audit(1400289656.430:4): avc:  denied  { read } for  pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  168.289170] type=1400 audit(1400289812.680:5): avc:  denied  { getattr } for  pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088406] type=1400 audit(1400289813.480:6): avc:  denied  { read } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088790] type=1400 audit(1400289813.480:7): avc:  denied  { open } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089205] type=1400 audit(1400289813.480:8): avc:  denied  { write } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089615] type=1400 audit(1400289813.480:9): avc:  denied  { remove_name } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.090024] type=1400 audit(1400289813.480:10): avc:  denied  { unlink } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  169.090350] type=1400 audit(1400289813.480:11): avc:  denied  { rmdir } for  pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  171.875822] type=1400 audit(1400289816.260:12): avc:  denied  { unlink } for  pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615263] type=1400 audit(1400289825.000:13): avc:  denied  { rename } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615578] type=1400 audit(1400289825.000:14): avc:  denied  { setattr } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  393.934310] type=1400 audit(1400290038.320:15): avc:  denied  { read } for  pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  399.370936] type=1400 audit(1400290043.760:16): avc:  denied  { read } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.371792] type=1400 audit(1400290043.760:17): avc:  denied  { getattr } for  pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.372219] type=1400 audit(1400290043.760:18): avc:  denied  { open } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf

Bug: 15021938
Change-Id: Id815640302efde3ae089da33ff8e2cb7daee8bfd

Change-Id: Id6d9a7cabc2fe9c18de10c6e9bc0080cdcd7033d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app_process is now a symlink to app_process32 or
app_process64, so we have to update the selinux
rules to explicitly refer to them.

See change 5a7ee9ad63d for context.

Change-Id: I7f7a107d79a8f7a3c193f97809e1e737540258f1

Commit: 7ffb9972 added protection against low
memory mapping for all domains, a superset of appdomain.  Remove the same,
redundant neverallow rule from appdomain.

Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c