This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5

This reverts commit 5287d9a8.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a

This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1

Don't allow init to mount on top of /proc. See
https://android-review.googlesource.com/148295 for details.

Change-Id: I65f66b39f3a5bfb72facb9f716f4537ac2237af1

This enables an optimization of bypassing the FUSE overhead when
migrating emulated storage between volumes.

avc: denied { write } for path="/mnt/expand/6cba9b95-4fc8-4096-b51f-bdb2c007d059/media/obb/.nomedia" dev="dm-0" ino=387843 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I2bb9aaca50ed988ded6afec6d7fbe190903707e0

Change-Id: I1c9fa4da442aa47ae4b7341eab6f788f0329d2d2

This reverts commit bbd56b71.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f

Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08

This reverts commit c450759e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387

shamu isn't booting.

This reverts commit 46e832f5.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca

Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9

Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448

Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9

Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5

Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e

Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e

Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25

needs to call addAuthToken

Change-Id: If519df61448f19dfafab254668c17eea6c161ea4

We have a /media directory on expanded storage that behaves just
like internal storage, and has a FUSE daemon running above it.

avc: denied { search } for name="expand" dev="tmpfs" ino=3130 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0

Bug: 19993667
Change-Id: I771ecb8f2808c48ccf4139ac9cfc2a48a2332fec

Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.

Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95

Google Breakpad (crash reporter for Chrome) relies on ptrace
functionality. Without the ability to ptrace, the crash reporter
tool is broken.

Addresses the following denial:

  type=1400 audit(1428619926.939:1181): avc: denied { ptrace } for pid=10077 comm="CrRendererMain" scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:r:isolated_app:s0:c512,c768 tclass=process permissive=0

This reverts commit e9623d8f.

Bug: 20150694
Bug: https://code.google.com/p/chromium/issues/detail?id=475270
Change-Id: I1727c6a93f10ea6db877687a8f81ec789f9e501f

Add rules that allow installd to move private app data between
internal and expanded storage devices.  For now we'll be reusing
the "cp" binary using android_fork_execvp(), so grant access to
devpts.

avc: denied { read write } for name="14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1

avc: denied { read } for name="com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { open } for path="/data/data/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { create } for name="com.android.opengl.shaders_cache" scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1
avc: denied { read write open } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/user/0/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="dm-0" ino=64518 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I5188e660c8b5e97eab8f0c74147499ec688f3f19

Bug: 17471434
Bug: 18609318
Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc

The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66

Settings needs to be able to access it when opening developer options.

Address the following denial:
avc:  denied  { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager

Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b