We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba

Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f

The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.

Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf

Needed to support https://android-review.googlesource.com/80871

Change-Id: Iba569c046135c0e81140faf6296c5da26a243037

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28

Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.

Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb

Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.

Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140

Remove the allow rule for default services in
binderservicedomain.te so we will need to whitelist any
services to be registered.

Change-Id: Ibca98b96a3c3a2cbb3722dd33b5eb52cb98cb531

This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.

Resolves denials, in 3rd party apps, such as:

avc:  denied  { setopt } for  pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket

Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>

Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.

Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.

Addresses the following denial:

  I/auditd  ( 5087): type=1400 audit(0.0:76): avc:  denied  { execute } for  comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678

Adding services to service_contexts for the
pending commits Icf5997dd6a6ba5e1de675cf5f4334c78c2c037f1
and Ibe79be30b80c18ec45ff69db7527c7a4adf0ee08.

Change-Id: Ie898866d1ab3abba6211943e87bcec77ba568567

Add missing services related to battery, bluetooth, time,
and radio to service_contexts.

Change-Id: I8bf05feb173d49637048c779757013806837fede

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc

dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.

Addresses the following denial:

  <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0

Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe

system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.

Allow it.

Addresses the following errors which have been showing up
in logcat:

  W/ProcessCpuTracker(12159): Skipping unknown process pid 1
  W/ProcessCpuTracker(12159): Skipping unknown process pid 2
  W/ProcessCpuTracker(12159): Skipping unknown process pid 3

Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512

Change-Id: I004ae9aee23a28cb4975fcee51d24eb1a654f0b7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address denials such as:
avc: denied { write } for pid=2587 comm="kworker/u:4" path="/storage/emulated/0/Download/AllFileFormatesFromTommy/Test3GP.3gp" dev="fuse" ino=3086052592 scontext=u:r:kernel:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file permissive=0

Change-Id: I351e84b48f1b5a3361bc680b2ef379961ac2e8ea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Bug: 15835289

Property being set: sys.boot_from_charger_mode. If healthd attempts to write
this property without the policy changes we get the following audit message:

[   45.751195] type=1400 audit(1403556447.444:7): avc:  denied  { write } for pid=99 comm="charger" name="property_service" dev="tmpfs" ino=3229 scontext=u:r:healthd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

These changes are needed to support the following system/core commit:
faster booting from charger mode
* Ieec4494d929e92806e039f834d78b9002afd15c4

Change-Id: I9f198cd73c7b2f1e372c3793dc2b8d5ef26b3a0f

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.

In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.

Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.

Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a

execmod is checked on attempts to make executable a file mapping
that has been modified.  Typically this indicates a text relocation
attempt.  As we do not ever allow this for any confined domain to
system_file or exec_type, we should not need it for unconfineddomain
either.

Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Trying to run dumpsys from the serial console generates the
following errors:

  shell@device:/ # dumpsys power
  [ 3244.099015] binder: 2259:2259 transaction failed 29201, size 28-8
  [ 3244.099291] type=1400 audit(1403313679.642:12): avc: denied { read write } for pid=2259 comm="dumpsys" path="/dev/console" dev="tmpfs" ino=6188 scontext=u:r:system_server:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file permissive=0
  Error dumping service info: (Unknown error -2147483646) power

and the operation fails. Allow binderservicedomains to perform
writes to /dev/console.

Bug: 15779131
Change-Id: Iff55ab09c3a4d40e12d49ff2308bf147f9cb6937

The init.rc one-shot services "defaultcrypto" and "encrypt" call
out to the /system/bin/vdc command line to ask vold to perform
encryption operations. Create a new domain for these one-shot
services. Allow the vdc domain to talk to vold.

Change-Id: I73dc2ee4cc265bc16056b27307c254254940fd9f

sdcard_internal is assigned to fuse mounts while sdcard_external
is assigned to vfat mounts by genfs_contexts.  Originally we
allowed access to both via the sdcard_type attribute, and access
via both means was required.  IIUC however, in 4.4 and later,
SDcard access should always occur via the fuse mount and we can
drop access to sdcard_external.

I think we can do the same for all domains except sdcardd.  However,
I cannot test this as the Nexus devices do not have external SDcard
support.

Also wondering if we should rename sdcard_internal type to fuse
and sdcard_external type to vfat to more clearly represent their
meaning, since one accesses the external SDcard via the fuse mount now.

Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Require sdcard_type access to be explicitly allowed to
each domain.  This is to both protect services from
being killed by unsafe ejection and to protect SDcard
data from access by rogue daemons.

Change-Id: If3bdd50fd2be50bd98d755b2f252e0ae455b82c4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Require app_data_file access to be explicitly allowed to
each domain.  We especially do not want to allow
app_data_file:lnk_file read to any privileged domain.
But removing app_data_file access in general can be useful
in protecting app data from rogue daemons.

Change-Id: I46240562bce76579e108495ab15833e143841ad8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow.  This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.

Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

execute_no_trans controls whether a domain can execve a program
without switching to another domain.  Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon).  Prohibit it otherwise for the
kernel domain via neverallow.  This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.

Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

[  265.263738] type=1400 audit(17091747.819:4): avc:  denied  { write } for  pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[  265.293154] type=1400 audit(17091747.849:5): avc:  denied  { execute } for  pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[  265.299479] type=1400 audit(17091747.859:6): avc:  denied  { setgid } for  pid=177 comm="recovery" capability=6  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[  265.299511] type=1400 audit(17091747.859:7): avc:  denied  { read write } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299531] type=1400 audit(17091747.859:8): avc:  denied  { open } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299863] type=1400 audit(17091747.859:9): avc:  denied  { setuid } for  pid=177 comm="recovery" capability=7  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>