On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.

Bug: 17487122
Change-Id: Ica78aa54e5abbb051924166c6808b79b516274fe

Remove permission from appdomain.

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

When vold mounts an OBB on behalf of another application, the kernel
spins up the "loop0" thread to perform the mount operation. Grant
the kernel thread the ability to read app data files, so the mount
operation can succeed.

Steps to reproduce:

  1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java

Expected:

  1) All tests pass

Actual:

  Test failure, with the following error message:

  loop0   : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
  Vold    : Image mount failed (I/O error)
  MountService: Couldn't mount OBB file: -1
  StorageManager: Received message.  path=/data/data/com.android.cts.stub/files/test1.obb, state=21
  TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest)
  TestRunner: ----- begin exception -----
  TestRunner: junit.framework.AssertionFailedError: OBB should be mounted
  TestRunner:    at junit.framework.Assert.fail(Assert.java:50)
  TestRunner:    at junit.framework.Assert.assertTrue(Assert.java:20)
  TestRunner:    at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235)

Bug: 17428116
Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:

  sdcard  : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0

Allow the operation.

Steps to reproduce:

  1) adb shell into the device and su to root
  2) run "kill -9 [PID OF SDCARD]

Expected:

  sdcard daemon successfully restarts without error message.

Actual:

  SELinux denial above, plus attempts to mount a new filesystem
  on top of the existing filesystem.

Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4

I/auditd(19949): type=1400 audit(0.0:71): avc:  denied  { write } for  comm="logcat" name="logd" dev="tmpfs" ino=5924 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:logd_socket:s0 tclass=sock_file

(cherry picked from 60f0be84)

Bug: 17323719
Change-Id: Id8399195196ffad884eef98030d544c68ed0596f

Permits the system server to change keystore passwords for users other
than primary.

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e

Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a

Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Bug: 17288791

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99

The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.

Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"

Expected:

  APK installs successfully.

Actual:

  APK fails to install. Error message:

    Vold  E  Failed to write superblock (I/O error)
    loop0  W  type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
    PackageHelper  E  Failed to create secure container smdl1645334795.tmp
    DefContainer  E  Failed to create container smdl1645334795.tmp

Bug: 17158723

(cherry picked from commit 4c6b1350)

Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd

Address:
type=1400 audit(0.0:103): avc: denied { read } for name="arm" dev="mmcblk0p28" ino=195471 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 16204150
Change-Id: I8bf0172b26b780c110c0d95c691785143acd7dd2

Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash.  Full read permissions may not be necessary:

W/debuggerd(  185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir

Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164

The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission.   Required for:
https://android-review.googlesource.com/#/c/101800/



Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e

Add patchoat selinux rules.

Bug: 15358152

(cherry picked from commit fbc8ec2e)

Change-Id: Ic84a370548393be62db740092e8393b662bcf345

Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.

For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains).  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.

For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context.  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 21ada26d)

Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e

b/16324360

Change-Id: I4adacdb1d87badfaa109da200aae91869b9786a8

This is needed for http://ag/512212 to work.

Bug: 15409819
Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8

Looks like system server doesn't let you start a service without
white listing anymore.

Bug: 16628456

Change-Id: I0f6df8fd2afa24f4a1758a90cb5f8e451e0edb6a

This reverts commit 10370f5f.

The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.

bug: 16317188

Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d

As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.

Maybe indirectly fixes the following SELinux denial:

  sdcard  : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b

Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7

Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee

b/16324360

Change-Id: If79f293a547deef570a80a5569ff8eb973ce29be

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 4644ac48)

Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621

Addresses the denial in charger mode:
[   17.993733] type=1400 audit(1405412231.119:4): avc:  denied  { search } for  pid=123 comm="charger" name="/" dev="pstore" ino=10287 scontext=u:r:healthd:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=0

(cherry picked from commit bb96bffc)

Change-Id: I2dde6adc3ff99df99409d4da3ef32c3987228801

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc205)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea3)

Change-Id: I25354db2add3135335c80be2c2d350e526137572

Add com.android.net.IProxyService as a system_server_service
to service_contexts.

Bug: 16369427

(cherry picked from commit 26d6371c)

Change-Id: I3e58681971683bdc7f26a1d130c8bcf8ffcb89e2

https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

(cherry picked from commit 8a5b28d2)

Change-Id: I39baaf62058986d35ad43de708aaa3daf93b2df4

Change-Id: I66a88b5dafc295e6daa9f4c0225aa593c97fe187

dex2oat fails when upgrading unlabeled asec containers.

Steps to reproduce:

1) Install a forward locked app on Android 4.1
  adb install -l foo.apk
2) Upgrade to tip-of-tree

Addresses the following denial:

  <4>[  379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

(cherry picked from commit 270be6e8)

Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137

addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289

(cherry picked from commit 6a1405d7)

Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466