am: edd86a63

* commit 'edd86a63':
  New postinstall domain and rules to run post-install program.

am: 01d95c23

* commit '01d95c23':
  Update netlink socket classes.

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4

am: 6ef10bd4

* commit '6ef10bd4':
  suppress unnecessary makefile output

checkpolicy spits out a bunch of unnecessary lines during normal
operation, which bloat the logs and hide other more important
warnings. Suppress the normal output.

SELinux compile time errors are printed to stderr, and are
uneffected by this change.

Change-Id: I07f2cbe8afcd14abf1c025355a169b5214ed5c6e

am: 9a1347ee

* commit '9a1347ee':
  Allow bluetooth access to the tun device.

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573
Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73

am: bca98efa

* commit 'bca98efa':
  Don't allow permissive SELinux domains on user builds.

It's a CTS requirement that all SELinux domains be in
enforcing mode. Add the same assertion to the build system
when targeting user builds.

In particular, this avoids a situation where device integrity
checking is enabled on user builds, but permissive denials
are being generated, causing the device to unexpectedly reboot
into safe mode.

A developer wanting to put an SELinux domain into permissive
mode for userdebug/eng purposes can write the following
in their policy:

  userdebug_or_eng(`
    permissive foo;
  ')

Bug: 26902605
Bug: 27313768
Change-Id: Ic0971d9e96a28f2a98f9d56a547661d24fb81a21

am: f25ea5f9

* commit 'f25ea5f9':
  Label /proc/meminfo.

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

(cherry-pick of internal commit: 971aeeda)

Bug: 22032619
Chromium Bug: 586021

Change-Id: I2dcb2d4800bbc92ea47c37d4fd7a10f827a0114c

am: 7905d681

* commit '7905d681':
  Allow access to the daydream ("dreams") service.

Bug: 26804329
Change-Id: I7b789c6fe8411e3a4a718da86d442a0f48c5c310

am: 65b5fde9

* commit '65b5fde9':
  Add recovery service.

RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).

The matching CL in frameworks/base is in:
  Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.

Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e

am: 6b843bcf

* commit '6b843bcf':
  Enable recovery to read batteryinfo.

Bug: 26879394

Change-Id: I09ac9027ca343e00488dedab8df1687fd32bb255

This is needed to kill sockets using the new SOCK_DESTROY
operation instead of using SIOCKILLADDR.

Bug: 26976388
Change-Id: I01a63a754726a0e9fb68be48b76df4dc47752edb

Bug: 26902605
Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

Change-Id: Ia7ad6264d85490824089b5074bf9c22303cc864a

* changes:
  checkseapp: remove .data = NULL assignments
  checkseapp: remove data types form static map
  checkseapp: generalize input validation
  checkseapp: update error message output
  checkseapp: declare internal function as static

Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.

This is an overly broad grant. Commit a10f789d
started the process of deprecating "block_device" access in favor
of "misc_block_device".

This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.

Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55

update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file

Also track the name change of the native binder service.
avc:  denied  { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09

untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.

Keep untrusted_app file creation to sandbox, sdcard and media
locations.

Change-Id: Ife680cb9425dad8223651f16b9be8a3179839ec3
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 27078729
Change-Id: I74115521e1def661dea5575eb532b93fe7f1f4ad

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc.  Many processes try
to read proc dirs, though.  Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

Bug: 26976972
Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Data type tracking is no longer needed now that per
key validation routines are supported.

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>