The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2

The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.

Addresses the following denials:

  avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
  avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0

Change-Id: I70257933f554abd008932c7f122dd0151f464b05

- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895

Certain tests depend on the ability to examine directories
in /system. Allow it to the shell user.

Addresses the following denials:

  avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26020967
Bug: 26023420
Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14

Confirmed via audit logs that it is not required.

Change-Id: I01d4b7ec15d4c852a9f28daf0b40ab4bce930125

Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

Allow pulling the currently running SELinux policy for CTS.

Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516

Allows safetynet to scan the system partition which is made up of
files labeled system_file (already allowed) and/or files with the
exec_type attribute.

Bug: 25821333
Change-Id: I9c1c9c11bc568138aa115ba83238ce7475fbc5e4

Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.

As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c

domain_deprecated.

BUG: 25965160
Change-Id: I586d082ef5fe49079cb0c4056f8e7b34fae48c03

Remove domain_deprecated from mdnsd. This removes some unnecessarily
permissive rules from mdnsd.

As part of this, re-allow /proc/net access, which is removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: Ie1cf27179ac2e9170cf4cd418aea3256b9534603

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73

Addresses the following denial:

  avc: denied { write } for path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=716 scontext=u:r:shell:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0

which started occurring because of https://android-review.googlesource.com/184260

Bug: 25945485
Change-Id: I6dcfb4bcfc473478e01e0e4690abf84c24128045

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

allow reading symlinks in /data and getattr in /system

Change-Id: I8cc9ca056725cf10ebfeef474ebf9c80c5300a73

Let's see if it's safe to get rid of them.

Bug: 25768265
Bug: 25767747
Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96

This allow bspatch to have same perssion as update_engine.

Also added a rule to allow update_engine to execute bspatch.

Bug: 24478450
Test: No more permission deny during delta update.

Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4

Addresses the following denial:

  avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Bug: 25801240
Change-Id: I043f48f410505acaee4bb97446945316f656a210

libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
   allow domain selinuxfs:filesystem getattr;

domain is already granted:
   allow domain self:dir r_dir_perms;
   allow domain self:lnk_file r_file_perms;
   allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
   allow domain proc:dir search;

Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259

All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f

Don't mix bluetooth rules with bluetoothdomain. The bluetoothdomain
rules are used by several other SELinux domains, not just bluetooth,
and keeping them in the same file is confusing.

Change-Id: I487251ab1c1392467a39c7a87328cdaf802fc1f8

avc:  denied  { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager

Bug: 25734577
Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

f063f461 marked several zygote.te
rules as "deprecated in M". Now that M is out the door, delete
the obsolete rules.

Change-Id: I7ff8abe8659bbcf7aa0b5c612ce3822a238df8ca

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

Move to domain_deprecated

Bug: 25433265
Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3

979adffd added an auditallow
to see if system_server was relabeling system_data_file.
The auditallow rule hasn't triggered, so remove the allow rule.

a3c97a76 added an auditallow
to see if system_server was executing toolbox. The auditallow
rule hasn't triggered, so remove the allow rule. AFAIK,
system_server never executes ANY file, so further tightening here
is feasible.

Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

am: 000b6949

* commit '000b6949':
  Enable permission checking by binderservicedomain.

binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control.  Allow these
services to query the permission service for access decisions.

(cherry-pick of commit: 32d207e0)

Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b