The /adb_keys entry will only take effect if a restorecon is
applied by init.rc on a kernel that includes the rootfs labeling
support, but does no harm otherwise.

The /data/misc/adb labeling ensures correct labeling of the adb_keys
file created if the device has ro.adb.secure=1 set.

Allow adbd to read the file.

Change-Id: I97b3d86a69681330bba549491a2fb39df6cf20ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I4be1c987a5d69ac784a56d42fc2c9063c402de11 removed all
netdomain allow rules at the same time domains were made unconfined.
Prior to that change, any domain that used the net_domain() macro
would be granted permissions required to use the network via these rules.
The change made the netdomain attribute unused in any rules, thereby
rendering the net_domain() calls pointless and requiring the allow
rules to be duplicated for any domain requiring network access. There
are two ways to resolve this inconsistency:
1.  Restore the netdomain rules as in this change.  In that case,
some rules in app.te can be removed as they are redundant with these rules.
-or-
2.  Completely remove the netdomain attribute, the net_domain() macro,
and all calls to it.  In that case, each domain that requires network
access will need to duplicate these rules or the necessary subset in order
to function.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ia54f0cd0bbda5c510423b1046626bd50f79ed7b6

Shell domain can transition to other domains for runas, ping, etc.

Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change synchronizes the AOSP set of neverallow rules for
app domains with our own.  However, as we exclude unconfineddomain
from each neverallow rule, it causes no breakage in the AOSP policy.
As app domains are confined, you will need to either adjust the
app domain or the neverallow rule according to your preference.
But our policy builds with all of these applied with all app domains
confined.

Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id I027f76cff6df90e9909711cb81fbd17db95233c1 added a
/data/local/tmp/selinux entry at the same time domains were made
permissive.  I do not know why, and do not see how this is used.
So remove it.

Change-Id: I3218cc18de9781bc65ae403f2cf4c234847ef5f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

These device nodes were specific to crespo / Nexus S and
if ever needed again, should be re-introduced in the per-device
sepolicy, not here.

Change-Id: I8366de83967974122c33937f470d586d49c34652
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

per the discussion in https://android-review.googlesource.com/#/c/65063/1/zygote.te
adjust the comment in this file.

Change-Id: I8db31e22ec34493442bc8e86bcd0bc0136b7bae4

This was a mistaken attempt to fix bug 10498304, but it didn't
actually have any impact. Revert.

This reverts commit fc2bd01b.

Bug: 10498304

This is now possible due to the kernel change to support
setting security contexts on rootfs inodes.

Change-Id: I2a9aac1508eceabb92c3ae8eb5c63a16b28dda6f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The type was already defined and used in type transitions for cases
where the gps socket is created at runtime by gpsd, but on some devices
it is created by init based on an init.<board>.rc socket entry and therefore
needs a file_contexts entry.

Before:
$ ls -Z /dev/socket/gps
srw-rw---- gps      system            u:object_r:device:s0 gps

After:
$ ls -Z /dev/socket/gps
srw-rw---- gps      system            u:object_r:gps_socket:s0 gps

Change-Id: I8eef08d80e965fc4f3e9dd09d4fa446aaed82624
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it gets left in the general device type, and we get denials such
as:
type=1400 msg=audit(1379617262.940:102): avc:  denied  { write } for  pid=579 comm="mDnsConnector" name="mdns" dev="tmpfs" ino=3213 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=sock_file

This of course only shows up if using a confined system_server.

Change-Id: I2456dd7aa4d72e6fd15b55c251245186eb54a80a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* changes:
  write_klog also requires write permission to the directory.
  Allow access to /data/security/current symbolic link.

This CL completes the renaming of domain system to system_server by
removing the "system" typealias that was temporarily added to avoid
breaking the build while the rename CLs are landing.

Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

Change-Id: I9652284bd34d07bd47e2e7df66fcbe5db185ab3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I153b0aa8a747d6c79839d06fc04b3923eacfa213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_app is for apps that run in the system UID, e.g. Settings.
system is for the system_server.
Split them into separate files and note their purpose in the comment
header of each file.

Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains.  If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis.  Allow it explicitly for the system_server.  Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.

Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* changes:
  Do not permit appdomain to create/write to download_file.
  Remove duplicated rules between appdomain and isolated_app.

3.4 goldfish kernel supports sysfs labeling so we no longer need this.

Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we have different security contexts but the same DAC
permissions:
-rw-rw-rw- root     root              u:object_r:sysfs_writable:s0 process_name
-rw-rw-rw- root     root              u:object_r:sysfs:s0 state
-rw-rw-rw- root     root              u:object_r:sysfs:s0 symbol

This change fixes denials such as:
type=1400 msg=audit(1379096020.770:144): avc:  denied  { write } for  pid=85 comm="SurfaceFlinger" name="symbol" dev="sysfs" ino=47 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I261c7751da3778ee9241ec6b5476e8d9f96ba5ed
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The comment says that apps can read downloaded files, but the
file_type_auto_trans() macro expands to permit create/write access.
Also we don't need a type transition when staying in the same type
as the parent directory so we only truly need allow rules here.
Hence, we remove file_type_auto_trans() altogether, and add an allow
rule for search access to the directory.  If create/write access is
truly required, then we can just change the allow rules to use
rw_dir_perms and create_file_perms.

Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

$ sepolicy-check -s untrusted_app -t mediaserver -c binder -p call -P out/target/product/manta/root/sepolicy
Match found!

Also removed loading of initial SIDs as that is not required for
this functionality and it leaks memory as it is never freed.
valgrind now reports no leaks.

Change-Id: Ic7a26fd01c57914e4e96db504d669f5367542a35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fixes the following denial:

<5>[28362.335293] type=1400 audit(1378991198.292:24): avc:  denied  { execute } for  pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

Apps attempting to write to /dev/random or /dev/urandom currently
succeed, but a policy violation is logged. These two Linux RNG
devices are meant to be written to by arbitrary apps. Thus, there's
no reason to deny this capability.

Bug: 10679705

Change-Id: Ife401f1dd2182889471eef7e90fcc92e96f9c4d6

This enables installd to uninstall or clear data of installed apps
whose data directory contains unusual file types, such as FIFO.

Bug: 10680357

(cherry picked from commit 839af9ed)

Change-Id: I5715f7d6d3214896ad0456d614b052cf5fb79eef

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ic500af7b9dac6a9b6401e99c3d162913e9989d9b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>