Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Addresses denials such as:
avc: denied { read write } for comm="dnsmasq" path="socket:[1054090]" dev="sockfs" ino=1054090 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=udp_socket
This may not be needed (need to check netd to see if it should be closing
all of these sockets before exec'ing other programs), but should be harmless.

Change-Id: I77c7af5e050e039fd48322914eeabbcb8a716040
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { read write } for  pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket
 avc:  denied  { read write } for  pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I546c1bcf373f161b7bf5706053340c4f6482b8b9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

dnsmasq presently requires dac_override to create files under
/data/misc/dhcp.  Until it can be changed to run with group dhcp,
allow dac_override.

Addresses denials such as:
avc:  denied  { dac_override } for  pid=21166 comm="dnsmasq" capability=1  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address dnsmasq denials such as:

 avc:  denied  { use } for  pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fd
 avc:  denied  { read } for  pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file
 avc:  denied  { read write } for  pid=9145 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket
 avc:  denied  { read write } for  pid=9145 comm="dnsmasq" path="socket:[8221]" dev="sockfs" ino=8221 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket
 avc:  denied  { read write } for  pid=9523 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket
 avc:  denied  { read write } for  pid=9523 comm="dnsmasq" path="socket:[7862]" dev="sockfs" ino=7862 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket
 avc:  denied  { net_raw } for  pid=9607 comm="dnsmasq" capability=13  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability
 avc:  denied  { net_admin } for  pid=9607 comm="dnsmasq" capability=12  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: I2bd1eaf22879f09df76a073028cc282362eebeee
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

This change does several things:

1) Restore domain.te to the version present at
cd516a32 . This is the version
currently being distributed in AOSP.

2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.

3) Restore netd.te to the version present at
80c9ba52 . This is the version
currently being distributed in AOSP.

4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.

5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.

6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.

7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.

The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.

Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.

Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0