Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit d2503ba8)

Change-Id: I08a718ba0d91641de720440e16abc0a04f5ec5a5

* commit '8318980a':
  Don't allow types which are both file_type and fs_type

* commit '48212742':
  Don't allow types which are both file_type and fs_type

* commit '2fbecbba':
  Allow installd to stat asec files and /data/media files.

* commit 'b545f2fc':
  recovery: Allow exec_type on dirs, read for /dev

* commit 'ff409bb4':
  recovery: Allow exec_type on dirs, read for /dev

It's a bug to have a type with both the file_type and fs_type
attribute. A type should be declared with either file_type,
or fs_type, but not both.

Create a neverallow rule which detects this situation. This works
because we have the following allow rule:

  allow fs_type self:filesystem associate;

If a type is a file_type and an fs_type, the associate allow rule
will conflict with this neverallow rule.

Not sure if this is the cleanest way to accomplish this, but it
seems to work.

Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa

When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:

  set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
  set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");

which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.

Allow this behavior for now, even though it's obviously a bug.

Also, allow recovery to read through the /dev directory.

Addresses the following denials:
  avc:  denied  { read } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { open } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { relabelto } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { getattr } for  pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { setattr } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { relabelfrom } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir

Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127

* commit 'e45aa7e9':
  Make inputflinger enforcing.

* commit 'f6b438fb':
  system_server profile access

* commit '2be9c64f':
  Make inputflinger enforcing.

* commit 'a76d9ddf':
  system_server profile access

Still not fixed. *sigh*

Addresses the following denial:

<4>[   40.515398] type=1400 audit(15842931.469:9): avc: denied { read } for pid=814 comm="system_server" name="profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: I705a4cc9c508200ace46780c18b7112b62f27994

Addresses denials such as:
avc: denied { getattr } for comm="installd" path="/data/app-asec/com.vectorunit.red-1.asec" dev="dm-0" ino=578229 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file

avc:  denied  { getattr } for  pid=262 comm="installd" path="/data/media/0/Android/data/com.google.android.apps.maps/cache/cache_vts_tran_base_GMM.m" dev="dm-0" ino=124930 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit d2622fda)

Change-Id: Iac46236ee583dee11a7e6518a9e8eca25c59e9ba

* commit 'd23935c8':
  allow system_server getattr on /data/dalvik-cache/profiles

* commit '96d9af42':
  allow system_server getattr on /data/dalvik-cache/profiles

86703051 wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.

Addresses the following denial:

  <4>[   40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6

* commit 'f1b92488':
  runas: allow pipe communication from the shell

* commit 'e0bbb6f3':
  selinux: logd Development settings

* commit '848109c0':
  selinux: logd Development settings

* commit '4dcb8245':
  runas: allow pipe communication from the shell

run-as won't communicate with shell via pipes. Allow it.

  nnk@nnk:~$ adb shell "cat /dev/zero | run-as com.google.foo sh -c 'cat'"
  /system/bin/sh: cat: <stdout>: Broken pipe

  <4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file

read is definitely needed. Not sure about write, but adding it just
in case.

(cherry picked from commit 6c9c5888)

Change-Id: Ifed6314588723063531982b45a56b902dfe32ea9

* commit 'fc10f2a7':
  runas: allow pipe communication from the shell

* commit '591b9c25':
  Remove clatd's ability to write to proc files.

* commit '81c03013':
  Remove clatd's ability to write to proc files.

This is no longer required now that clatd has switched from IPv6
forwarding to sockets.

Bug: 15340961
Change-Id: Id7d503b842882d30e6cb860ed0af69ad4ea3e62c

* commit 'fb635166':
  Allow clatd to read from packet sockets and write to raw sockets

* commit 'b32448c9':
  Allow clatd to read from packet sockets and write to raw sockets

* commit '65ad8086':
  Make the mediaserver domain enforcing.

* commit 'f0ffff0b':
  Make the mediaserver domain enforcing.

Change-Id: Ib693b563c2db6abc02cf7dbeb12ed61c09734fa8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '2c8b50b8':
  Remove world-read access to /data/dalvik-cache/profiles

* commit '86703051':
  Remove world-read access to /data/dalvik-cache/profiles

Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.

Add read/write capabilities back to app domains, since apps need to
read/write profiling data.

Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3

* commit '8eb63f24':
  Add SELinux rules for service_manager.

* commit 'b0ee91a4':
  Add SELinux rules for service_manager.

* commit '28ca3327':
  DO NOT MERGE adds system_server permissions

* commit 'db4af52d':
  Allow shell to read/search /dev/input directory.

* commit 'a2e4e265':
  Allow shell to read/search /dev/input directory.

Resolves denials such as:
avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir

Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>