Addresses:
avc:  denied  { find } for service=nfc pid=3355 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

BUG=29339762
Change-Id: I87479ef4607bd3e18a2fecb53909c4878e227e2b

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095

Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd

System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b

Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

Address the following denial:
SELinux  E  avc:  denied  { find } for service=drm.drmManager scontext=u:r:radio:s0 tcontext=u:object_r:drmserver_service:s0

which occurs when a non-default SMS app sends an MMS. The message would be
stored into system automatically in MMS service (from phone process and phone
UID). The storing of the message involves the creation of
android.drm.DrmManagerClient instance.

Change-Id: Ic4e493f183c9ce7f7ac3f74f6ea062893ea67608

Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.

Addresses the following denial:

  type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95

Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

They need to see when it changes so they know when netd bounces.

(cherrypicked from commit 71e9a7c4)

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

They need to see when it changes so they know when netd bounces.

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc205)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d

Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3

Change-Id: I3522c38a6019a42acbdd7221240caec54b89aee1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.

Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245