Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow system_server to unlink sockets created
by the wpa supplicant. This will resolve the following
denial seen across mutliple devices.

  avc:  denied  { unlink } for  pid=584 comm="WifiStateMachin" name="wlan0" dev=mmcblk0p10 ino=138762 scontext=u:r:system_server:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file

Change-Id: If3a8b1f270dfcd3dc6838eb8ac72e3d5004cc36d
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC.  We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc:  denied  { execute } for  pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.

Addresses the following denial:

14.711671   type=1400 audit(1387474628.570:6): avc:  denied  { block_suspend } for  pid=533 comm="InputReader" capability=36  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2

Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47

In 61dc3507, I forgot to allow
system_server to run getopt/getattr on the zygote socket.

Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd.  ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10

Change-Id: I10006f43c142f07168e2ea0f4f5f7af68d03e504
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc:  denied  { getattr } for  pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc:  denied  { open } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc:  denied  { write } for  pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { remove_name } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { unlink } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove unconfined_domain() and add the allow rules required for
operation of healthd.  Restore the permissive declaration until
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4
kernel.

Resolves the following denials in 4.4:
type=1400 audit(1383590167.750:14): avc:  denied  { read } for  pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file
type=1400 audit(1383590167.750:15): avc:  denied  { mknod } for  pid=49 comm="healthd" capability=27  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:16): avc:  denied  { create } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc:  denied  { setopt } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc:  denied  { net_admin } for  pid=49 comm="healthd" capability=12  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:18): avc:  denied  { bind } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
shell@generic:/ $ type=1400 audit(1383590168.800:21): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:22): avc:  denied  { transfer } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:23): avc:  denied  { 0x10 } for  pid=49 comm="healthd" capability=36  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2
type=1400 audit(1383590168.800:24): avc:  denied  { read } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590212.320:161): avc:  denied  { call } for  pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:161): avc:  denied  { transfer } for  pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:162): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
type=1400 audit(1383590275.930:463): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).

Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631

Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6

Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

"allow system apk_private_tmp_file:file relabelto" was already
added as part of 217f8afc
(https://android-review.googlesource.com/64890) and was added again
as part of commit 81ee5898. It
should not be here twice.

Change-Id: Ia7515f72ee6d9579ba52d72fcb0754733a2f6c27

Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1

/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.

Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f

Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This CL completes the renaming of domain system to system_server by
removing the "system" typealias that was temporarily added to avoid
breaking the build while the rename CLs are landing.

Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00