Resubmission of commit: 76f3fe33

Removed conflicting rule from unconfined domain.

Change-Id: I3e6da8922ebf636f1cd8ceefea4291d043a28ab7

Fix build due to goldfish neverallow conflicts.

This reverts commit 76f3fe33.

Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb

Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.

Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage':
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code
make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1

Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35

Commit: 9287e0dd272b85b475e33bcbd7d868517a0f98f9 removed the registration
of EntropyMixer with servicemanager, so it no longer needs a context.

Bug: 18106000

Cherry-pick of commit: 7cfef98c

Change-Id: I9aeb35e7ffde75090f4234ea193514fb883b1425

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29

This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.

Change-Id: I964f94b30103917ed39cf5d003564de456b169a5

Bug: 18035729

(cherry picked from commit 6f201ddc)

Change-Id: I9865932ca87acefe0ab7feb3e6dc875f3d64276d

init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.

Resolves (permissive) denials such as:
avc:  denied  { read } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { open } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { setattr } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { read } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { setattr } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

Change-Id: I68a7b804336a3d5776dcc31622f1279380282030

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

(cherrypick, with modifications, from 0055ea90)

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.

This reverts commit 2aa727e3.

Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'f7e98fe2':
  recovery.te: add /data neverallow rules

* commit '35a4ed80':
  Add wpa neverallow rule

wpa should never trust any data coming from the sdcard. Add a
compile time assertion to make sure no rules are ever added
allowing this access.

Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6

Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88

* commit '3bcdec8a':
  Allow radio access to netd_pid file.

They need to see when it changes so they know when netd bounces.

(cherrypicked from commit 71e9a7c4)

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

* commit 'ca62a8b7':
  allow coredump functionality

(cherrypick of commit d7e004eb)

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba

* commit 'bdc8c77a':
  Accept command-line input for neverallow-check.

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.

Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19

* commit 'c457572b':
  Allow init to restorecon /data directories on upgrades.

Resolves (permissive) denials on upgrades from 4.4.

Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'f3926937':
  Switch kernel and init to permissive_or_unconfined().

Switch the kernel and init domains from unconfined_domain()
to permissive_or_unconfined() so that we can start collecting
and addressing denials in -userdebug/-eng builds.

Also begin to address denials for kernel and init seen after
making this switch.

I intentionally did not allow the following denials on hammerhead:
avc:  denied  { create } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
avc:  denied  { open } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

These occur when init.rc does:
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
because the prior command to mount the cgroup failed:
mount cgroup none /sys/fs/cgroup/memory memory

I think this is because that cgroup is not enabled in the
kernel configuration.  If the cgroup mount succeeded,
then this would have been a write to a cgroup:file and
would have been allowed already.

Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '0ae33a8d':
  zygote/dex2oat: Grant additional symlink permissions

* commit '5fad3d98':
  recovery: allow changing unlabeled symbolic links

* commit 'b519949d':
  system_server: assert app data files never opened directly

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62

* commit '46f3ce87':
  remove init_shell

* commit 'd4731ad8':
  Remove -kernel -recovery from keystore_data_file neverallow.

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

(cherrypicked from commit 683ac49d)

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c