and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7

priv_app reads from /cache/recovery, but I'm still not sure if
it writes. Eliminate the read auditallow rules and allow the
writes to show up (if any).

Eliminates the following auditallow messages:

  avc: granted { search } for comm="IntentService[S" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { getattr } for comm="Thread-1" path="/cache/recovery/last_install" dev="mmcblk0p27" ino=29891 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
  avc: granted { read open } for comm="Thread-1" name="recovery" dev="mmcblk0p27" ino=29889 scontext=u:r:priv_app:s0:c525,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir

Change-Id: Ibc0640f5366aae50e3fd09d17657374390b24a5c

su is in permissive all the time. We don't want SELinux log
spam from this domain.

Addresses the following logspam:

  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0

Address the following denial:
avc: denied { read } for name="battery" dev="sysfs" ino=17945 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Bug: 26219114
Change-Id: I862b40a6514bffaa455dd7f06368acf9bcdc4782

Not actually needed as demonstrated by the auditallow rule.

Change-Id: Ia92c82ec237ab3490a1d51fa3371778e43e09504

This will allow init to terminate services cleanly (SIGTERM, wait,
SIGKILL) when needed.

Bug: 26216447
Test: manual: init is able to send a SIGTERM signal without denials.

Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6

auditallow shows no hits.

Change-Id: I5ae33d34cd4bfa48f4384926fcafd84bec60e899

- Moves policy of what to do with buffer size changes to logd

Bug: 23685592
Change-Id: I0b12c452e01b94d264d12b30f9040f646e609340

Recovery uses /cache/recovery. Exclude it from auditallow coverage.

Addresses the following SELinux log spam:

  avc:  granted  { search } for  pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc:  granted  { read } for  pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
  avc:  granted  { getattr } for  pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file

Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76

No longer necessary after android.process.media moved to the
priv_app domain. Verified no new denials via audit2allow rule.

Bug: 25085347
Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc

Shell user needs to be able to get current device battery_level via
/sys/class/power_supply/battery/capacity.  Create a global label and
corresponding policy for accessing this.  Rely on each device to label
the appropriate sysfs entry.

Bug: 26219114
Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c

Bug: http://b/25195825
Change-Id: I70257d5e40332f315020547baaa77a92fdfc58b0

Bug: 22032619
Change-Id: Ic160e0beef353c6dc5fb5e2d6a09a5628f067fe3

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158

* changes:
  Android.mk: cleanse all set but not unset variables
  Android.mk: clean dependencies and clear variables

No functional changes.

Change-Id: Ib6246932a2b491b77bafb1ce19e7b2285abec65e

Discovered by diffing the set of "set variables" with
the set of "cleared variables".

Script:

mydir=$(mktemp -d)

grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=.' Android.mk  | cut -d' ' -f 1-1 | sort | uniq > $mydir/set_vars
grep -E '(^[a-z].)[a-z0-9_\.]*\s*:?=$' Android.mk | cut -d' ' -f1-1 | sort | uniq > $mydir/unset_vars
diff $mydir/set_vars $mydir/unset_vars
rm -rf $mydir

Change-Id: Ib50abac6b417a1bcc1894d9a7bafdbdca371006a
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.

Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.

Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>

The new rules are used to allow to mount FUSE file system for priv-app.

Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52

Bug: 26178938
Change-Id: I07eebf9f3854aa447950909b6e97a565b2846644

Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d2245 restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec

By convention, allow rules should be placed before neverallow rules.

Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5

Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa

Both angler and bullhead violate these SELinux rules.

Bullhead: tee has access to these files
Angler: system_server has read/write access to these files.

Fixes the following compile time error:

  libsepol.report_failure: neverallow on line 32 of external/sepolicy/fingerprintd.te (or line 6704 of policy.conf) violated by allow tee fingerprintd_data_file:file { ioctl read write create setattr lock append rename open };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy
  out/host/linux-x86/bin/checkpolicy:  loading policy configuration from out/target/product/bullhead/obj/ETC/sepolicy_intermediates/policy.conf

This reverts commit 604a8cae.

Change-Id: Iabb8f2e9de96f9082cd6a790d1af80cbc6a569b1

Only fingerprintd should be creating/reading/writing/etc from
/data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule
(compile time assertion + CTS test) to ensure no regressions.

Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413

Bug: 26211308
Change-Id: I8fd2d14ea52d49a33e6cdbcdf90630eea89f7dd0

The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.

Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.

Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc

Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.

Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786

The label for /sys/kernel/debug/tracing was changed from debugfs
to debugfs_tracing in commit https://android-review.googlesource.com/187692 .
Ensure we're using the correct label.

Change-Id: I6cab9d6b9f3d96b41db26642b67d880b1ca17a8b

Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3