If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:

  sdcard  : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0

Allow the operation.

Steps to reproduce:

  1) adb shell into the device and su to root
  2) run "kill -9 [PID OF SDCARD]

Expected:

  sdcard daemon successfully restarts without error message.

Actual:

  SELinux denial above, plus attempts to mount a new filesystem
  on top of the existing filesystem.

(cherrypicked from commit abfd427a)

Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4

Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I/auditd(19949): type=1400 audit(0.0:71): avc:  denied  { write } for  comm="logcat" name="logd" dev="tmpfs" ino=5924 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:logd_socket:s0 tclass=sock_file

Bug: 17323719
Change-Id: Id8399195196ffad884eef98030d544c68ed0596f

Bug: 16875245

(cherry picked from commit 372d0df7)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7

The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.

Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"

Expected:

  APK installs successfully.

Actual:

  APK fails to install. Error message:

    Vold  E  Failed to write superblock (I/O error)
    loop0  W  type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
    PackageHelper  E  Failed to create secure container smdl1645334795.tmp
    DefContainer  E  Failed to create container smdl1645334795.tmp

Bug: 17158723
Change-Id: I4aa86e372cc55348f6b8becfa17bd4da583925d4

Remove the CTS specific rule which allows appdomain processes
to view /proc entries for the rest of the system. With this change,
an SELinux domain will only be able to view it's own /proc
entries, e.g. untrusted_app can only view /proc entries for other
untrusted_app, system_app can only view /proc entries for other
system_apps, etc.

/proc contains sensitive information, and we want to avoid
leaking this information between app security domains.

Bug: 17254920
Change-Id: I59da37dde00107a5ab123df3b79a84afa855339f

Add a neverallow rule (compile time assertion) that no SELinux domain
other than init can set default_prop. default_prop is assigned to a
property when no more specific label exists for that property.

This ensures that all properties are labeled properly, and that
no-one (other than init) gets access to unknown properties.

Change-Id: If279960f23737e263d4d1b5face7b5c49cda7ae7

Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99

Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.

This change expands on commit a730e50b,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.

Change-Id: I12547a75cf68517d54784873846bdadcb60c5112

Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash.  Full read permissions may not be necessary:

W/debuggerd(  185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir

Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164

Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e

Add patchoat selinux rules.

Bug: 15358152

Change-Id: Ibe92d8b55a24bbf718b0416a21b76e5df7a2de26

The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.

Resolves denials such as:
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd

Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.

For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains).  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.

For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context.  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.

Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Bug: 16563899
Bug: 14251916
Change-Id: Id3172b73f10186ba361caf6b7333e5d2a0648475

Do not auditallow dumpstate as it is the only instance
of listing services seen so far.

Change-Id: I1c142cf5a3a745ea64b22f3a14b8395b24f2e1d0

As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.

Maybe indirectly fixes the following SELinux denial:

  sdcard  : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

(cherrypicked from commit 792d8650)

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b

Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.

Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.

Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.

Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e

Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7

Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee

Addresses the denial in charger mode:
[   17.993733] type=1400 audit(1405412231.119:4): avc:  denied  { search } for  pid=123 comm="charger" name="/" dev="pstore" ino=10287 scontext=u:r:healthd:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=0

Change-Id: I95e65753a99aa61ef86b8eebb7083b3d450e6b7b

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb

The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission.   Required for:
https://android-review.googlesource.com/#/c/101800/



Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add com.android.net.IProxyService as a system_server_service
to service_contexts.

Bug: 16369427
Change-Id: I29ac87babe393f2fe3ce91c2d5eba9673d5a1be3

https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e

dex2oat fails when upgrading unlabeled asec containers.

Steps to reproduce:

1) Install a forward locked app on Android 4.1
  adb install -l foo.apk
2) Upgrade to tip-of-tree

Addresses the following denial:

  <4>[  379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137

Change-Id: I66a88b5dafc295e6daa9f4c0225aa593c97fe187