am: dcec3ee9  -s ours

Change-Id: Id04fb68971510d089e4fcd53fa24b77a1e9cd760

To be replaced by commit 1e149967
seapp_context: explicitly label all seapp context files

Test: build policy
Change-Id: I8d30bd1d50b9e4a55f878c25d134907d4458cf59
Merged-In: I0f0e937e56721d458e250d48ce62f80e3694900f

am: 9f8773b4

Change-Id: I010337f7f5b81f4025a0d57e0e0b4fb8f4a90296

am: 8f687053

Change-Id: Ib0ba78601046e6574cbb44752ebc431791a62df6

This is needed for timerslack functionality which should be present in
most kernels going forward

Test: system_server can write to cameraserver files
Change-Id: I85797128b1467d92eb354364de8eb60f8e45c931

The denial message:
update_engine: type=1400 audit(0.0:15213): avc: denied { getattr } for
path="/postinstall" dev="dm-0" ino=38 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

update_engine: type=1400 audit(0.0:15214): avc: denied { sys_rawio } for
capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

auditd  : type=1400 audit(0.0:15213): avc: denied { getattr } for
comm="update_engine" path="/postinstall" dev="dm-0" ino=38
scontext=u:r:update_engine:s0 tcontext=u:object_r:postinstall_mnt_dir:s0
tclass=dir permissive=0

update_engine: [0428/070905:ERROR:utils.cc(716)] Error stat'ing /postinstall: Permission denied

Bug: 37760573
Test: apply an update and UE reads postinstall_mnt_dir without denial.
Change-Id: I55506f5e8544233f60ccf7c1df846c9c93946a25

am: 9273c1bb

Change-Id: Ie4aec7f6b6cfe675bd69df399fa63ef1194b84ac

This was previously relying on domain_deprecated rules deleted in
change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431.

Bug: 28760354
Test: unbreaks networking on AOSP bullhead
Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085

am: 50992311

Change-Id: Ia24ef33e8cdbee7c3336fda2a5c0ec0e4ca751f0

am: 770214ab

Change-Id: I253dad49662831625a17162b18f013e0b4a87af4

Kernel commit f9df6458218f4fe ("selinux: export validatetrans
decisions") introduced a /sys/fs/selinux/validatetrans pseudo file
for use by userspace file system servers and defined a new validatetrans
permission to control its use.

Define the new permission in the Android SELinux policy.
This change only defines the new permission; it does not allow it
to any domains by default.

This avoids a kernel message warning about the undefined permission on
the policy load, ala:
SELinux:  Permission validate_trans in class security not defined in policy.

Test: Policy builds

Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

am: 580a0f2b

Change-Id: Ibc29f16dac70c4c44ea4b1bfff5afcf513d2dbfa

This change must only be submitted when device-specific policies
have been reverted.

This reverts commit 07e631d2.

Bug: 17613910
Test: builds
Change-Id: Ie33e293107bf1eba2498f2422d941544c76b8cad
Merged-In: I356c39a5dc955b3d7c28d8c7baf2887a17beb272

am: ee694980

Change-Id: Ic572585b380405f135646731f9fc749fcee86a3b

Allow wrapped app to send pid back to zygote.

Bug: 63566721
Bug: 63635227
Test: lunch angler-userdebug && m
Test: lunch angler-user && m
Test: lunch angler-user && m && fastboot flashall && m cts && cts-tradefed run commandAndExit cts-dev -m CtsWrapWrapDebugTestCases
Change-Id: Ie1b41c3eb124aa5ee321c124d0121a0e965f0f0e

Change-Id: I5360777b81f561c6b062d11c55fbb8491a7845ec
Test: build

Logs indicate that these rules have already been moved to the
domains that need them.

Bug: 28760354
Test: build
Merged-In: I588a1e7ea7ef984907b79a5a391efb2dcd6e6431
Change-Id: I588a1e7ea7ef984907b79a5a391efb2dcd6e6431

am: 90d2772a

Change-Id: I354fac8e2de0f7c3d09341d291b7989dad1e0726

Observed audited access to rootfs moved to individual domains in
commit a12aad45

Bug: 28760354
Test: build
Change-Id: Ie5e991d66668e70df69f21334032be6d574bf5c8

am: c501c345

Change-Id: I1b62a13240b49654fe8667909d23989d4651b37a

am: 6116489c

Change-Id: Ie97e5fba4b46293888ad34c54fa0673909653651

am: a12aad45

Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug: 36588803
Change-Id: I1f46b438050d95cebd2fcc495938192305fc9fc9

Test: build
Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11

am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

am: 3e5bb807

Change-Id: I01f99884b0f8b06fa4938a606345c33918d8b295

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:

1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
   in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
   net_stable_secret_vendor_prop) and applying it to
   persist.netd.stable_secret results in the device not booting
   due to attempting to apply two different contexts to the same
   property.

Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.

Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.

This reverts commit abb1ba65.

Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8

am: 90ae4f6b

Change-Id: Ia793ed369cc05c123fb013fd10e8b19f006d92ff

am: f4ce8f6c

Change-Id: Ie0bc01a5b8acc6b79a3a31d5807f46f1e1df8c6c

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263