The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denials:

<5>[  170.166218] type=1400 audit(1386789488.029:57): avc:  denied  { getattr } for  pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166356] type=1400 audit(1386789488.029:58): avc:  denied  { execute } for  pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166841] type=1400 audit(1386789488.029:59): avc:  denied  { read open } for  pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166962] type=1400 audit(1386789488.029:60): avc:  denied  { execute_no_trans } for  pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file

Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.

  STEPS TO REPRODUCE:
  1. Launch Chrome
  2. From menu tap print and observe
        OR
  1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
  2. Select print

Addresses the following denials:

<5>[  122.352797] type=1400 audit(1386363998.374:18): avc:  denied  { write } for  pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248363] type=1400 audit(1386363999.264:19): avc:  denied  { getattr } for  pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248620] type=1400 audit(1386363999.264:20): avc:  denied  { write } for  pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file

Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c

Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4

Change-Id: Ieda312d5607dd17af0bb70045fbaba8ddec38c94

Remove unconfined_domain() from the bluetooth app domain,
restore the rules from our policy, and move the neverallow
rule for bluetooth capabilities to bluetooth.te.
Make the bluetooth domain permissive again until it has
received sufficient testing.

Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Apps may need to access the USB Accessory interface, which
involves reads / writes / etc to /dev/usb_accessory
and /dev/bus/usb/*

See http://developer.android.com/guide/topics/connectivity/usb/accessory.html
for more information.

This addresses the following denials:

[   80.075727] type=1400 audit(1379351306.384:9): avc:  denied  { read write } for  pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[   86.204387] type=1400 audit(1379304688.579:10): avc:  denied  { getattr } for  pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[ 2773.581032] type=1400 audit(1379307375.959:22): avc:  denied  { read write } for  pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.590843] type=1400 audit(1379307375.969:23): avc:  denied  { getattr } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.591111] type=1400 audit(1379307375.969:24): avc:  denied  { ioctl } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file

Bug: 10780497
Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb

Shell domain can transition to other domains for runas, ping, etc.

Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change synchronizes the AOSP set of neverallow rules for
app domains with our own.  However, as we exclude unconfineddomain
from each neverallow rule, it causes no breakage in the AOSP policy.
As app domains are confined, you will need to either adjust the
app domain or the neverallow rule according to your preference.
But our policy builds with all of these applied with all app domains
confined.

Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The comment says that apps can read downloaded files, but the
file_type_auto_trans() macro expands to permit create/write access.
Also we don't need a type transition when staying in the same type
as the parent directory so we only truly need allow rules here.
Hence, we remove file_type_auto_trans() altogether, and add an allow
rule for search access to the directory.  If create/write access is
truly required, then we can just change the allow rules to use
rw_dir_perms and create_file_perms.

Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fixes the following denial:

<5>[28362.335293] type=1400 audit(1378991198.292:24): avc:  denied  { execute } for  pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74

Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b

This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef3
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35

app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

Change-Id: I91f6965dafad54e98e2f7deda956e86acf7d0c96

Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366

/data/app-private is used when making an
app purchase or forward locking. Provide a
new label for the directory as well as the
tmp files that appear under it.

Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change-Id: I54af993bd478d6b8d0462d43950bb1a991131c82
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I8d46a809c08cd21b0d6c3173998035ab3cc79ada
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/data/app-private is used when making an
app purchase or forward locking. Provide a
new label for the directory as well as the
tmp files that appear under it.

Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change-Id: I54af993bd478d6b8d0462d43950bb1a991131c82
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I8d46a809c08cd21b0d6c3173998035ab3cc79ada
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366