It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2

(cherrypicked from commit 45737b9f)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

It's only used by the emulators, never by core policy.
Move the definition to the emulators.

Bug: 28221393
Change-Id: I7ca56e04d611cfccde507313ba9c2a0a71d54d06

SafetyNet is in the priv_app domain. Suppressing this
isn't necessary anymore.

Change-Id: Icbcb75d3b2ebde657bd16b336b252aaec4d0d252

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876
Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c

(Cherry-pick of internal commit: de0ce9c1)
Bug: 28165026

Change-Id: I3096373d5936db6ca7a153d98e8d34d6629074d7

This does not appear needed anymore.

Change-Id: I3128ab610c742b18008f4cfc2a7116b210f770e7

Make sure adbd can't transition to other non-shell domains,
and in particular, can't transition to the su user on user builds.

Bug: 27270128
Change-Id: I67dc974da460d63879f5ff3e1258af8eb790a815

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

Enforce restrictions on kernel module origin when kernel has commit:
61d612ea selinux: restrict kernel module loading

Bug: 27824855
Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b

Add a neverallow rule (CTS test + compile time assertion) blocking
system_server from executing files outside of a few select file
types.

In general, it's dangerous to fork()/exec() from within a multi-threaded
program. See
https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
This change helps discourage the introduction of new execs.

Bug: 28035297
Change-Id: Idac824308183fa2cef75f17159dae14447290e5b

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Prevent direct opens into the system_app sandbox.

Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa66.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5
Signed-off-by: William Roberts <william.c.roberts@intel.com>

update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49

Bug: 27965066
Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a

Some of the init allow rules were well passed 100 characters and
were difficult to read. Format them to use the one-per-line
set subtraction format as seen in other locations within sepolicy.

Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Postinstall testing requires to mount a filesystem and relabel its
files to postinstall_file. While this task will normally be performed
by the update_engine daemon running in a domain of the same name, we
also test this workflow with sample images from /data/nativetest in
eng builds.

This hides the log messages from the 'su' context when mounting and
relabeling a filesystem onto the postinstall mountpoint.

Bug: 27272144
Bug: 26955860
TEST=m; update_engine_unittests pass Postinstall tests.

Change-Id: Id39aa1afdc11a6f59434873e68a53cbcb6ae363f

The auditallow for install_recovery accessing cache_recovery_files
hasn't triggered, so drop the rules as they don't appear to be
used.

Change-Id: I74bb152b6c829612594c647674907e16783fa477

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479

To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1

Bug: 27176738
Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf

03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304
Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac

See https://groups.google.com/d/msg/android-ndk/BbEOA9pnR-I/HgLkGy5qAgAJ

Addresses the following denial:

  avc: denied { lock } for path="/data/data/com.mypackage/files/somefilename" dev="mmcblk0p28" ino=114736 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

While I'm here, also add lock to w_file_perms.

(cherrypicked from commit 4ee494cc)

Change-Id: I2568a228099c4e112e4a8b80da3bfcf2e35eb0ea

Block other operations which involve non-file descriptor
operations.

Change-Id: I5d813781c201a732aa1ee6ff6fd3d82f2af32ec7