The kernel bug that required healthd to remain permissive was fixed by
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2.

Change-Id: Iff07b65b943cadf949d9b747376a8621b2378bf8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

init creates a private /dev/null instance named /dev/__null__
that is inherited by healthd.  Since it is created prior to
initial policy load, it is left in the tmpfs type.
Allow healthd to inherit and use the open fd.

Change-Id: I525fb4527766d0780457642ebcc19c0fcfd1778c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denial.
  avc:  denied  { create } for  pid=605 comm="Binder_2" name="IDM1013" scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_data_file:s0 tclass=dir

Witnessed denial on grouper. Policy change
seems appropriate for core policy though. To
reproduce:
* erase data partition or just delete all dirs
  under /data/mediadrm
* start netflix app and watch a movie

Change-Id: I515a195d45223249847fae70dc2ea9c9b216042f
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3

Previous bluetooth denials should be addressed by
I14b0530387edce1097387223f0def9b59e4292e0.

Change-Id: I5c6b44a142a7e545230b89df9c4500ce2fab4ab6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

These are all symlinks. The restorecon in /sys doesn't follow
symlinks, so these lines have absolutely no effect, and just
serve to confuse people.

Remove them.

Change-Id: I24373fa0308ec700011ed19b1ce29a491d1feff3

powervr_device is obsoleted by the more general gpu_device.
akm_device and accelerometer_device are obsoleted by the more
general sensors_device.

We could also drop the file_contexts entries altogether and
take them to device-specific policy (in this case, they all
came from crespo, so that is obsolete for master).

Change-Id: I63cef43b0d66bc99b80b64655416cc050f443e7d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I35728c4f058fa9aeb51a7960395759590e20b083
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I27c62a7ab7223eb74f44a78c273dd97f1380bc61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Idc26aadd0add9f39447d51a1d82a55a957a88e9a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ie7414b49eac92f7d57789cc3082dbce774561126
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 43ddc106.

Change-Id: Id2d2c02ccf6ac38c48b07ab84b73348cd9c815fa

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 89740a69.

Change-Id: Ie060cff0de8cbd206e0e55e196021726e52246c7

Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.

Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.

Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it.  So I retained that rule.

Tested with adb sideload.

Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ic5aae78d575dba50d0a4bb78747da3ba4b81fb7b

Define a domain for use by the recovery init.rc file for
/sbin/recovery.  Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.

Change-Id:  Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is required for the grouper sepolicy, where we must allow
bluetooth domain to write to the base sysfs type due to a kernel bug.

Change-Id: I14b0530387edce1097387223f0def9b59e4292e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

adbd uses setpcap to drop capabilities from the bounding
set on user builds. See system/core commit
080427e4e2b1b72718b660e16b6cf38b3a3c4e3f

Change-Id: I6aec8d321b8210ea50a56aeee9bc94738514beab

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858

As discussed in https://android-review.googlesource.com/78634 , the removal of execmem may cause OTA problems. Not sure...

Revert this patch to give us more time to investigate.

This reverts commit 4e416ea4.

Change-Id: Ie05f90235da5b9ee20b374298494cbc0a58b9b49

The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5f.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a

I'd like to do more testing to make sure OTA updates aren't broken by this change. Until we do the testing, let's rollback this change.

This reverts commit 5da08810.

Change-Id: I56a7f47a426cfd3487af1029283bd8ce182d5ab2

Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0

x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We do not want to permit connecting to arbitrary unconfined services
left running in the init domain.  I do not know how this was originally
triggered and thus cannot test that it is fixed.  Possible causes:
- another service was left running in init domain, e.g. dumpstate,
- there was a socket entry for the service in the init.rc file
and the service was launched via logwrapper and therefore init did
not know how to label the socket.

The former should be fixed.  The latter can be solved either by
removing use of logwrapper or by specifying the socket context
explicitly in the init.rc file now.

Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* changes:
  Allow access to unlabeled socket and fifo files.
  Remove unlabeled execute access from domain, add to appdomain.