Remove from blkid, blkid_untrusted, fsck, fsck_untrusted, sdcardd and
sgdisk.

Tested by adding external sdcard with and without
"adb shell sm set-force-adoptable true" command.

Address the following denials:
avc: denied { read } for name="swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { read } for name="filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file

Change-Id: I097e2ba5205e43f8ee613dae063f773a35ce3d73

In libext2fs ext2fs_check_mount_point() calls is_swap_device() to
verify that a device is swap before setting the EXT2_MF_SWAP mount
flag.

Addresses:
avc: denied { getattr } for path="/dev/block/zram0" dev="tmpfs" ino=9951
scontext=u:r:fsck:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file

Bug: 22821100
Change-Id: Ic7a1b6f83b34a40bf4bd35a1564300c58ca27089

Used in system/vold/MoveTask.cpp

Addresses:
avc: denied { execute } for name="toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Change-Id: I2eb6288aaed510ae5be0f3605088ace6b865ef83

Only used in AOSP by flounder. No denials when running Google Maps.

Change-Id: I9902c263016b4d38f1b3ed0be0bc7c4cd17ee471

Strengthen neverallow rule to enforce that no apps may write to
system_data_file - the default label for /data/

Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14

They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038

auditallow says not needed.

Change-Id: Iafa048377e159ca3c7cc1f31653002c41ef9ef2b

auditallow says not needed.

Change-Id: If44f64aeb5d0be78fd166d1b3eee298c5f7c860d

This is actually used. Addresses the following SELinux audit logs:

  avc: granted { create } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { add_name } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/command" dev="mmcblk0p38" ino=23 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { setattr } for comm="Thread-157" name="uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file

Change-Id: Idab00ebc8eacd7d8bb793b9342249227f91986a1

auditallow says it's not used.

Bug: 25331459
Change-Id: Ic414efcd0a3be6d744ab66382c20f0ea4c9ea116

* changes:
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's

auditallow says never used.

Change-Id: I789f32bd7d2bbfc583a12bf8a05662e812f09a38

no SELinux denials from auditallow

Change-Id: Ied61f7f97b148b1c10d0f71e9ab30c136a123738

auditallow says no denials.

Change-Id: Ib4e38f5393d3f3ba67277017abc848f5e7c04efd

auditallow says never used.

Change-Id: I6a3f82740bfecf483e0ccbb528b7218af36d37b8

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d14688.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a

Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

toolbox_exec is executed by dhcpcd-run-hooks.

Addresses the following auditallow log spam:

  avc: granted { read open } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read } for comm="setprop" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute } for comm="dhcpcd-run-hook" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute_no_trans } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read execute } for comm="setprop" path="/system/bin/toybox" dev="dm-0" ino=639 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: Ib83c291961a5573397830032a67a2f6861ae2e71

Bug: 26219114
Change-Id: I300899d610258704eb2d45488700eadb7a686606

Address the following denial when running CTS:
avc: denied { search } for comm=73657276696365203136 name="/" dev="selinuxfs" ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=0

Bug: 26290097
Change-Id: Icf51061a65a5fda15f7e7ef78200a62ffbd1ca9b

Remove the temporary typealias on camera_device since it
is now defunct.

Change-Id: I0a21d019580605695afa0a169aa1fbf0d7533f29

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>