Change-Id: Iec4bfc08ced20c0d4c74e07baca6cff812c9ba00

This is a trivial change to seapp_contexts to force a relabel
of /data/data directories by PMS/installd by yielding a
different hash value for comparison against /data/system/seapp_hash.
This change does not alter any actual app process or data directory
labeling decisions.  The seapp_contexts entries are sorted upon
loading by libselinux to match the precedence rules described
in the comment header, so ordering in this file should not matter.

This should not be merged before the code changes with the same Change-Id.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ibeeec6637022ee8bc9868e102b3d55e3b0d4762c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { open } for  pid=2758 comm="mediaserver" name="mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file
 avc:  denied  { getattr } for  pid=2758 comm="mediaserver" path="/system/bin/mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file

Change-Id: Ifee9e6fa87ae933639ce0b1d69a2feee460cf31f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Iabda448d252d3b1ce19809c7f5de0dca3942f60c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { open } for  pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file

This seems harmless, although I am unclear as to why/where it occurs.
Likely just for logging/debugging.

Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:surfaceflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:keystore:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:healthd:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:drmserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I289dcf4b2c5897b7a10e41e5dd8d56ef4b9a4a08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

vold needs to be able to check remaining battery to safely abort
certain operations

Bug: 11985952
Change-Id: I7dfe83f7d1029593882e0e5ad33f90fb29e5532b

Ability to relabel from/to any of the types that can be assigned
to /data/data directories as per seapp_contexts type= assignments.

Change-Id: I05e8b438950ddb908e46c9168ea6ee601e6d674f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Anything writable by rild should be in radio_data_file or efs_file.
System data should be read-only.

Change-Id: I442a253c22f567a147d0591d623e97a6ee8b76e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change helps with the following denials.
  avc:  denied  { write } for  pid=14157 comm="Thread-88" name="premium_sms_policy.xml" dev="mmcblk0p28" ino=618998 scontext=u:r:radio:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
  avc:  denied  { write } for  pid=14293 comm="Thread-89" name="sms" dev="mmcblk0p28" ino=618952 scontext=u:r:radio:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

Prior to this patch the directory was labeled as
system_data_file which is a bit too generic. This
directory contains xml files with regexs which
represent premium numbers that are used to warn
the user before sending.

Change-Id: I98288b25aa1546477e05eee9f7622324b013e695
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Resolves denials such as:
avc:  denied  { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service

Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { read write } for  pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket
 avc:  denied  { read write } for  pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Bug: 13464830

Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d

Reboots/halts aren't working in healthd charger mode. This is
causing high power draw in an unplugged, powered off state.

Steps to reproduce (on Nexus 5):
  Unplug device from USB charger/computer
  Turn device off
  Wait for device to turn off
  Plug in USB cable/charger
  Wait for charge animation (wait for animation, not just lightning bolt, may have to press power button briefly to get animation going)
  Wait for panel to turn off
  Unplug USB cable/charger
  Press power button again, notice screen turns on at some frame in the animation.
  (not important) Each press of the power button advances the animation
  Power on.
  Examine denials from /proc/last_kmsg

Addresses the following denials:

[   24.934809] type=1400 audit(12534308.640:8): avc:  denied  { write } for  pid=130 comm="healthd" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:healthd:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file
[   24.935395] type=1400 audit(12534308.640:9): avc:  denied  { sys_boot } for  pid=130 comm="healthd" capability=22  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13229119
Change-Id: If14a9c373bbf156380a34fbd9aca6201997d5553

Required to support passing resources via open apk files over Binder.
Resolves denials such as:
 avc:  denied  { read } for  pid=31457 comm="SoundPoolThread" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:mediaserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
 avc:  denied  { read } for  pid=31439 comm="Binder_2" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:drmserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

We do not allow open as it is not required (i.e. the files
are passed as open files over Binder or local socket and opened by the
client).

Change-Id: Ib0941df1e9aac8d20621a356d2d212b98471abbc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

healthd performs privileged ioctls on the tty device
when in charger mode. Allow it.

This fixes a bug where off charging mode is forcing the device
to reboot into recovery.

Addresses the following denial:

type=1400 audit(15080631.900:4): avc:  denied  { sys_tty_config } for  pid=130 comm="healthd" capability=26  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13472365
Change-Id: I402987baf62ba0017e79e30e370850c32c286a6a

Change-Id: I68a8f37576d0d04d0f9df9ef8991407b6846ba15
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I610723eb9f2edcb4525b0e2d7e55616a1d93957d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ica367f34156a7a460e3663589a29743c4a9e955c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I546c1bcf373f161b7bf5706053340c4f6482b8b9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
avc:  denied  { write } for  pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file
avc:  denied  { connectto } for  pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket

Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
avc:  denied  { read write } for  pid=3142 comm="clatd" path="socket:[12029]" dev="sockfs" ino=12029 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: I5111410870c71bbfaf6b5310d8f5fd8f10db4f20
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>