Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f

The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2

The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.

Addresses the following denials:

  avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
  avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0

Change-Id: I70257933f554abd008932c7f122dd0151f464b05

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.

Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9

avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=3129 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

Change-Id: I802321331e9bd7ae41d3af7ace39364240db6d84

Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe

allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877db)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f

Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: Ia5af09045e9f72a95325b429c30a5ae78e104bdc

Remove permission from appdomain.

(cherry picked from commit 309cc668)

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

Remove permission from appdomain.

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea3)

Change-Id: I25354db2add3135335c80be2c2d350e526137572

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d

Addresses the following denial:

  type=1400 audit(0.0:24): avc: denied { create } for comm="adbd" name="md5sum" scontext=u:r:adbd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir

Change-Id: Ibb1708af85b2235cbad2794993cfeef896f8db4a

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720

(cherry picked from commit 4fd4a205)

Change-Id: Ide6f62183a1c6e2af4cbe84bb0ebb928cd8e63b7

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720
Change-Id: I767102a7182895112838559b0ade1cd7c14459ab

As of system/core commit 225459a5da21e9397ca49b0d9af7d5fe3462706b,
adbd no longer talks to vold. Remove the obsolete rule.

Bug: 12504045
Change-Id: I0a4f621afd8e5f8ab83219e7b0ff096c992d365f

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2

Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914

(cherry picked from commit ddde8c29)

Change-Id: I25c90a0f5dadf5f4e9f99cd27cf8740766a21aaa

Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914
Change-Id: I758e4f87ab024035604d47eebae7f89f21ea1e3e

Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This should be obsoleted by the restorecon in
I30e4d2a1ae223a03eadee58a883c79932fff59fe .

Change-Id: Iaeacb1b720b4ac754c6b9baa114535adc1494df2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As of system/core commit 225459a5da21e9397ca49b0d9af7d5fe3462706b,
adbd no longer talks to vold. Remove the obsolete rule.

Bug: 12504045
Change-Id: I0a4f621afd8e5f8ab83219e7b0ff096c992d365f

adbd was only in enforcing for user builds. Commit
Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6 allows us to move
it into enforcing for everyone. Do it.

Change-Id: Ie1a3e5361c891d2c9366e11f35699e3146cc3d88

When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6

Change-Id: Ic5aae78d575dba50d0a4bb78747da3ba4b81fb7b