hostapd creates sockets under /data/misc/wifi/hostapd.
Ensure that they are labeled correctly both at runtime
(type_transition) and during the init.rc restorecon_recursive /data
(file_contexts).

Addresses denials such as:
 avc:  denied  { create } for  pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { setattr } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { unlink } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914
Change-Id: I758e4f87ab024035604d47eebae7f89f21ea1e3e

Copied from our tree, adjusted to note relationship to keys.conf
and to be consistent with the AOSP implementation.

Change-Id: I09ba86d4c9a1b11a8865890e11283456ea2ffbcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was a legacy of trying to support per-app level isolation
in a compatible manner by blocking direct open but permitting
read/write via passing of open files over Binder or local sockets.
It is no longer relevant and just confusing to anyone trying to use
the mls support for anything else.

Change-Id: I6d92a7cc20bd7d2fecd2c9357e470a30f10967a3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolve denials such as:
avc:  denied  { write } for  pid=130 comm="healthd" name="state" dev="sysfs" ino=57 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc:  denied  { read write } for  pid=130 comm="healthd" name="tty0" dev="tmpfs" ino=5677 scontext=u:r:healthd:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file

Change-Id: Iff0609af924b4e5094be7512646140c3baa97549
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { ioctl } for  pid=6390 comm="m.wimmcompanion" path="socket:[472596]" dev="sockfs" ino=472596 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Idd4fa219fe8674c6e1c40211b3c105d6276cfc5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:

avc:  denied  { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service

avc:  denied  { write } for  pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { add_name } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { create } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The environment has changed since b/10498304 and it may be the case
that some of the changes introduced thereby are no longer necessary.
Adding an auditallow will allow us to monitor the effects of
removing these changes, without blocking other development.

Change-Id: Id4ece1644877c4ba36df3050ac9073ea6320779c

We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This resolves denials such as:
type=1400 audit(7803852.559:251): avc:  denied  { getattr } for  pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

(triggered on an art crash seen in recent AOSP master)

Rather than just adding this permission individually, just rewrite
the existing rule to use the rx_file_perms macro.
We already allowed most of these permissions by way of the
domain_auto_trans() rule via init_daemon_domain() and the rule
for the --invoke-with support.  Using macros helps reduce
policy fragility/brittleness.

Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:

avc:  denied  { call } for  pid=257 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:adbd:s0 tclass=binder

avc:  denied  { call } for  pid=1002 comm="Binder_4" scontext=u:r:surfaceflinger:s0 tcontext=u:r:platform_app:s0 tclass=binder

avc:  denied  { open } for  pid=1468 comm="Binder_1" name="cmdline" dev="proc" ino=10222 scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=file

avc:  denied  { open } for  pid=1275 comm="Binder_5" name="cmdline" dev="proc" ino=38036 scontext=u:r:surfaceflinger:s0 tcontext=u:r:system_app:s0 tclass=file

Change-Id: I92147a1636b44a851d0e0e059f70ec8267cecf08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I3b5e605ddcb601ae9958066ea20410dfe4c4bdf3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address dnsmasq denials such as:

 avc:  denied  { use } for  pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fd
 avc:  denied  { read } for  pid=9145 comm="dnsmasq" path="pipe:[29234]" dev="pipefs" ino=29234 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file
 avc:  denied  { read write } for  pid=9145 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket
 avc:  denied  { read write } for  pid=9145 comm="dnsmasq" path="socket:[8221]" dev="sockfs" ino=8221 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket
 avc:  denied  { read write } for  pid=9523 comm="dnsmasq" path="socket:[7860]" dev="sockfs" ino=7860 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket
 avc:  denied  { read write } for  pid=9523 comm="dnsmasq" path="socket:[7862]" dev="sockfs" ino=7862 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket
 avc:  denied  { net_raw } for  pid=9607 comm="dnsmasq" capability=13  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability
 avc:  denied  { net_admin } for  pid=9607 comm="dnsmasq" capability=12  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: I2bd1eaf22879f09df76a073028cc282362eebeee
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I9355cd9bcbfeb55a7bebe580c0e5764263a5f5ab
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I764086a83d89d5c94c13400cab590933727d261b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:

avc:  denied  { connectto } for  pid=7028 comm="wfd_looper" path=006D636461656D6F6E scontext=u:r:mediaserver:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket

This is a socket in the abstract namespace so no socket file is involved.

Change-Id: Ia0e384c08063466cfd0f17af3bccf294c7f9dbbd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The system_server has duplicate/overlapping rules regarding
/proc/pid access as well as a lack of clarity on the reason
for the different rules.  Deduplicate the rules and clarify
the purpose of different sets of rules.

Replace the rules granting /proc/pid access for all domains with
specific rules only for domains that we know should be accessible
by the system_server, i.e. all apps (appdomain) and the set of
native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST.

Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The filename should be the same as the
domain with all the .te files.

Change-Id: Ib05eb84f881c680eb5bb43a4814cfb038fbff339
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

This is a world-readable directory anyway and will help to
address a small number of new denials.

Change-Id: I9e53c89a19da8553cbcbef8295c02ccaaa5d564c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

libsepol.check_assertion_helper: neverallow on line 8857 violated by allow system_server sdcard_external:file { ioctl read write getattr lock append open };
Error while expanding policy
make: *** [out/target/product/manta/obj/ETC/sepolicy_intermediates/sepolicy] Error 1

Change-Id: I181707ed66bad3db56f9084b3d9ba161d13b34bd

As per:
https://android-review.googlesource.com/#/c/84130/3/system_server.te@240


it is unsafe to allow such access.

Add a neverallow rule to prohibit any rules on sdcard_type in the
future.

Change-Id: Ife714b65b07144eb6228a048a55ba82181595213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The previous patch wasn't sufficient. Allow the kill signal.

Addresses the following denial:

<5>[  775.819223] type=1400 audit(1393978653.489:18): avc:  denied  { sigkill } for  pid=118 comm="lmkd" scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=process

Bug: 13084787
Change-Id: I6af1ed4343b590049809a59e4f2797f6049f12e4

Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Iea7790aa4f8e24f3ec0d2c029933a3902333472e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>