Only used by Flounder.

Bug: 8435593
Change-Id: I06655e897ab68a1724190950e128cd390617f2bd

Address denials:
avc: denied { read } for name="meminfo" dev="proc" ino=4026544360 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

Bug: 28722489
Change-Id: I3c55bd95bb82ec54e88e9e9bc42d6392a216a936

(cherry-picked from commit cc8a09f5)

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

avc: denied { read } for name="device" dev="sysfs" ino=36099 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=lnk_file

init is already allowed to read directories, this is an obvious omission.

Change-Id: I5131a84bb67e73aaed235c3cbab95c365eaaa2f0

In order to allow set_prop() to function with platform_apps,
the property_socket file requires mlstrustedobject since
platform app uses category sets.

This does not allow untrusted_app access, as the following
neverallows still prevent type access:

untrusted_app.te:118:neverallow untrusted_app property_socket:sock_file write;
untrusted_app.te:120:neverallow untrusted_app property_type:property_service set;

Lastly, the internal socket to property_service is labeled with init
which is mlstrustedsubject, so no changes are required there.

Change-Id: I47296a2dc24b16785fd296deea7a54ae9966226a
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This fixes the following denies:
type=1400 audit(0.0:4389): avc: denied { read } for path="/data/misc/update_engine/tmp/a_loop_file.W0j9ss" dev="mmcblk0p13" ino=24695 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0
type=1400 audit(0.0:30): avc: denied { read } for path="/data/nativetest/update_engine_unittests/gen/disk_ext2_unittest.img" dev="mmcblk0p13" ino=71 scontext=u:r:kernel:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=file permissive=0

Bug: 28319454
Test: setenforce 1 && ./update_engine_unittests

Change-Id: I8d54709d4bda06b364b5420d196d75a4ecc011d3

Enable rules to allow shell to getattr on all block files
for checking modes under /dev/block.

Exempt shell from any neverallows on blk_file and limit them
to only getattr.

bug: 28306036
Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable shell to have access to /dev for running the
world accessable mode test on /dev.

This approach adds shell to the list of excluded domains
on neverallows around chr_files, but locks down the access
for shell to only getattr.

It was done this lightly more complicated way to prevent
loosening the allow rules so that any domain would have
getattr permissions.

Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Change-Id: Ic836309527a2b81accc50df38bd753d54fa5e318
Signed-off-by: Mihai Serban <mihai.serban@intel.com>

These neverallow rules are exact duplicates of neverallow
rules which occur earlier in the file.

Change-Id: I75e3d84109f26374257741425f8de638a15f2741

When using domain_trans(init, foo_exec, foo), don't add the
following rule:

  allow foo init:process sigchld;

This is already allowed for all domains in domain.te:

  # Allow reaping by init.
  allow domain init:process sigchld;

So adding it over and over again is redundant and bloats the
policy. More specifically, when I run:

  sepolicy-analyze out/target/product/bullhead/root/sepolicy dups

this change reduces the number of duplicate policy statements
from 461 to 389.

Change-Id: I8632e5649a54f63eb1f79ea6405c4b3f515f544c

This rule is a duplicate of a rule already in domain.te.

Change-Id: I729e6d9ca9c99466f8c0fd1ab2f8449f889c71fa

This directory is no longer used.

Change-Id: Ic32a7dd160b23ef8d1d4ffe3f7b1af56c973d73c

The boot_control HAL is library loaded by our daemons (like
update_engine and update_verifier) that interacts with the bootloader.
The actual implementation of this library is provided by the vendor and
its runtime permissions are tied to this implementation which varies a
lot based on how the bootloader and the partitions it uses are
structured.

This patch moves these permissions to an attribute so the attribute can
be expanded on each device without the need to repeat that on each one
of our daemons using the boot_control HAL.

Bug: 27107517
Change-Id: Idfe6a208720b49802b03f70fee4a3e73030dae2e

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2

(cherrypicked from commit 45737b9f)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

It's only used by the emulators, never by core policy.
Move the definition to the emulators.

Bug: 28221393
Change-Id: I7ca56e04d611cfccde507313ba9c2a0a71d54d06

SafetyNet is in the priv_app domain. Suppressing this
isn't necessary anymore.

Change-Id: Icbcb75d3b2ebde657bd16b336b252aaec4d0d252

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876
Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c

(Cherry-pick of internal commit: de0ce9c1)
Bug: 28165026

Change-Id: I3096373d5936db6ca7a153d98e8d34d6629074d7

This does not appear needed anymore.

Change-Id: I3128ab610c742b18008f4cfc2a7116b210f770e7

Make sure adbd can't transition to other non-shell domains,
and in particular, can't transition to the su user on user builds.

Bug: 27270128
Change-Id: I67dc974da460d63879f5ff3e1258af8eb790a815

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

Enforce restrictions on kernel module origin when kernel has commit:
61d612ea selinux: restrict kernel module loading

Bug: 27824855
Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b

Add a neverallow rule (CTS test + compile time assertion) blocking
system_server from executing files outside of a few select file
types.

In general, it's dangerous to fork()/exec() from within a multi-threaded
program. See
https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
This change helps discourage the introduction of new execs.

Bug: 28035297
Change-Id: Idac824308183fa2cef75f17159dae14447290e5b

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Prevent direct opens into the system_app sandbox.

Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa66.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5
Signed-off-by: William Roberts <william.c.roberts@intel.com>

update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49