system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c

Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8

Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29

Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.

This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700

Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547

Bug: 17954291
Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

(cherrypick of commit 47bd7300)

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

Permits the system server to change keystore passwords for users other
than primary.

(cherrypicked from commit de08be8a)

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

Permits the system server to change keystore passwords for users other
than primary.

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e

Bug: 16875245

(cherry picked from commit 372d0df7)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7

Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a

This is needed for http://ag/512212 to work.

Bug: 15409819
Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

This reverts commit 10370f5f.

The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.

bug: 16317188

Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d

Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.

Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.

Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d

Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2

Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

Address denials in devices that use /oem

Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403

Bug: 15313911
Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe

Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e

Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: Ia644c73ec10460a2a529fe197ade6afe46694651

Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976

We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba

Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc

system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.

Allow it.

Addresses the following errors which have been showing up
in logcat:

  W/ProcessCpuTracker(12159): Skipping unknown process pid 1
  W/ProcessCpuTracker(12159): Skipping unknown process pid 2
  W/ProcessCpuTracker(12159): Skipping unknown process pid 3

Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658

system_server needs to open /dev/snd and access files
within that directory. Allow it.

system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.

Addresses the following denial:

  system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir

and likely others

Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8