See https://groups.google.com/d/msg/android-ndk/BbEOA9pnR-I/HgLkGy5qAgAJ

Addresses the following denial:

  avc: denied { lock } for path="/data/data/com.mypackage/files/somefilename" dev="mmcblk0p28" ino=114736 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

While I'm here, also add lock to w_file_perms.

(cherrypicked from commit 4ee494cc)

Change-Id: I2568a228099c4e112e4a8b80da3bfcf2e35eb0ea

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.

Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.

Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.

SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.

Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.

Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0

Addresses denials such as:
type=1400 : avc: denied { lock } for comm="PushCheckSendS" path="socket:[1834573]" dev="sockfs" ino=X scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=tcp_socket

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 2c759185)

Bug: 18730521
Change-Id: Ie68955c26ddedb3acd7b7aa18afbf8b35c2c2f78

Addresses denials such as:
type=1400 : avc: denied { lock } for comm="PushCheckSendS" path="socket:[1834573]" dev="sockfs" ino=X scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=tcp_socket

Change-Id: Idbf6120cca9df634e2f8a876fd1cd836551e5ad7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Initial policy for racoon (IKE key management).

Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479

Change-Id: I328bc882b3d6e200742e017aa23154fb01e638a5

Add key_socket class to socket_class_set macro.  Allow system to trigger module auto-loading and to write to sockets created under /dev.