Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh.  So they originally
shared a common set of rules.  Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc.  Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc).  The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command.  And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.

Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te.  init_shell was an unconfined_domain(),
so it loses nothing from this change.  Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.

Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.

Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file

Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8

Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi <Kandoi&lt;kandoiruchi@google.com>

single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:

  external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:

Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b

Dumpstate reads from /sys/fs/pstore/console-ramoops when generating
a bug report. Allow it.

Addresses the following denials:
  <12>[ 2187.362750] type=1400 audit(1402346777.139:9): avc: denied { search } for pid=4155 comm="dumpstate" name="/" dev="pstore" ino=9954 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
  <12>[ 2187.363025] type=1400 audit(1402346777.139:10): avc: denied { getattr } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363185] type=1400 audit(1402346777.139:11): avc: denied { read } for pid=4155 comm="dumpstate" name="console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363321] type=1400 audit(1402346777.139:12): avc: denied { open } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1

Change-Id: Ia20b7a03ed8e0c61b023eea93415a50af82e1bbf

dumpstate calls screencap to take a screenshot. screencap
requires the ability to access the gpu device. Allow it.

Bug: 15514427
Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297

Right now usbfs doesn't have any labels, generating the
following kernel warnings:

<7>[    3.009582] SELinux: initialized (dev usbfs, type usbfs), not configured for labeling

and the occasional SELinux unlabeled auditallow logs:

<4>[  285.579254] type=1400 audit(1402010345.094:16): avc: granted { search } for pid=371 comm="qcks" name="/" dev="usbfs" ino=15794 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  285.632354] type=1400 audit(1402010345.154:18): avc: granted { search } for pid=371 comm="qcks" name="001" dev="usbfs" ino=15796 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

Make sure usbfs is assigned via genfscon

Change-Id: I7191f2584014ba55a3c3a98e7efd0350dc958782

Change-Id: I74bf300c1b80e94e5acf9ba00ab443dfabad7408

surfaceflinger has been enforcing for a while now. Remove
the reference to the unconfined domain.

Change-Id: Ia86a0553e9c2db3c89f93e26179c79278d1d3bed

Change-Id: I9c3ff0a79d947a14084638772451d06298c43e47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I1ea20044bd6789dde002da7fc9613cfbf1ee2d23
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denial:

  type=1400 audit(0.0:24): avc: denied { create } for comm="adbd" name="md5sum" scontext=u:r:adbd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir

Change-Id: Ibb1708af85b2235cbad2794993cfeef896f8db4a

Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154

Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.

Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0

Modeled after http://oss.tresys.com/pipermail/refpolicy/2013-January/006283.html

Addresses the following kernel error message:

  <6>[    3.855423] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
  <6>[    3.862482] SELinux: the above unknown classes and permissions will be denied
  <7>[    3.869668] SELinux:  Completing initialization.

Change-Id: Iad87fcd5348d121a808dbe7ae3c63f8c90fc09fc

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720
Change-Id: I767102a7182895112838559b0ade1cd7c14459ab

Make sure we have all necessary rules to modify system_file and
exec_type.

Allow writing to /proc/sys/vm/drop_caches and other proc
files.

Addresses denials like:

  avc:  denied  { getattr } for  pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { read } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { open } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { remove_name } for  pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { add_name } for  pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { write } for  pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file

recovery is still in permissive_or_unconfined(), so no rules are
being enforced.

Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59

write_logd() is allowed for domain, which means that all domains
are permitted read/write access to /dev. That's overly permissive
and causes substantial differences between user and userdebug/eng
devices.

Remove domain device:dir rw_dir_perms access. It's not needed.

Allow all domains to write/append to logd_debug. logd is responsible
for creating this file if need be. Remove logd_debug file create
permissions. This also eliminates the need for the type_transition
rules.

Bug: 15419803
Change-Id: I7dc3c4df8d413c649c24ae7bc15546d64226ce3b

Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.

Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.

Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c

Addresses denials such as:
avc: denied { getattr } for comm="installd" path="/data/app-asec/com.vectorunit.red-1.asec" dev="dm-0" ino=578229 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file

avc:  denied  { getattr } for  pid=262 comm="installd" path="/data/media/0/Android/data/com.google.android.apps.maps/cache/cache_vts_tran_base_GMM.m" dev="dm-0" ino=124930 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I406f1bea32736e2277adae1629a879fac0d714b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
 avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As of sepolicy commit a16a59e2
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.

Merge them into one type to avoid a proliferation of SELinux
types.

Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95

https://android-review.googlesource.com/#/c/95900/

 added
allow rules for unlabeled access as needed to all confined
domains.  Therefore we can remove it from domain.  The only
other domain that truly needs unlabeled access is init, which
presently inherits it from unconfineddomain.

Also prevent rules that would permit any confined domain from
creating new unlabeled files on the system.

Change-Id: I31c6478b42fbf60e3b7893b9578b6ad50170def6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).

Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0

As of system/core commit 225459a5da21e9397ca49b0d9af7d5fe3462706b,
adbd no longer talks to vold. Remove the obsolete rule.

Bug: 12504045
Change-Id: I0a4f621afd8e5f8ab83219e7b0ff096c992d365f

* commit 'bd0262c9':
  Add ocontext for F2FS

Without this, the "seclabel" mount option is unavailable to F2FS.

Bug: 15388455
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870

NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663