This reverts commit c147b592.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

This is needed, at least short term

Bug:34231507
Test: Builds
Change-Id: Id313c4f3e40c17b0eead50facf474a890cda5c85

untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2

Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083

This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.

When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28

Test: It's a comment -- no impact on build
Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a

The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb

Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Initial check in of empty autoplay_app.te policy file.

Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.

Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.

Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 92dfa31f added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.

This causes a crash when system_server attempts to start shared_relro.

  W art     : PreZygoteFork called when we already have a zygote space.
  E SELinux : seapp_context_lookup:  No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
  E SELinux : selinux_android_setcontext:  Error setting context for app with uid 1037, seinfo (null): Success
  E Zygote  : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
  F art     : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
  I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  F art     : art/runtime/runtime.cc:331] Runtime aborting...
  F art     : art/runtime/runtime.cc:331] Aborting thread:
  F art     : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
  F art     : art/runtime/runtime.cc:331]   | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
  F art     : art/runtime/runtime.cc:331]   | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
  F art     : art/runtime/runtime.cc:331]   | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  F art     : art/runtime/runtime.cc:331]   | stack=0xbe39d000-0xbe39f000 stackSize=8MB
  F art     : art/runtime/runtime.cc:331]   | held mutexes= "abort lock" "mutator lock"(shared held)
  F art     : art/runtime/runtime.cc:331]   kernel: (couldn't read /proc/self/task/1176/stack)
  F art     : art/runtime/runtime.cc:331]   native: (backtrace::Unwind failed for thread 1176)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)

removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:

  E SELinux : avc:  denied  { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
  E SELinux : avc:  denied  { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Add the needed SELinux rule.

Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810

The current policy would allow any application that were to
"magically" get a sensitive UID into the coresponding
sensitive domain. Rather then only using UID as an input
selector, require seinfo=platform.

Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec

Add levelFrom=user to the entries for apps other than those
that run in the predefined platform UIDs (e.g. system, nfc, radio, ...).
This causes libselinux to assign a per-user category set computed from
the user ID portion of the Linux UID to each app process and its
/data/data/<pkgdir> or /data/user/N/<pkgdir> directory.  These
per-user category sets can be seen in the last field of ps -Z output for
apps and ls -Z /data/data or /data/user/N output for the package
directories.

With this applied, apps running on behalf of one user cannot read
or write files created by apps running on behalf of another user,
even if the file is world-readable or -writable.  Similar isolation is
enforced over process interactions (including /proc/pid file access),
local socket communications, and System V IPC, as expressed in the
set of constraints defined in the mls configuration.  At present,
Binder IPC is not restricted by the mls configuration; if desired,
there is a constraint in the configuration that can be uncommented
to also apply isolation on direct binder IPC, although communication
will still be possible indirectly via the system_server.

Bug: 13507660
Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Needed to support https://android-review.googlesource.com/80871

Change-Id: Iba569c046135c0e81140faf6296c5da26a243037

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a trivial change to seapp_contexts to force a relabel
of /data/data directories by PMS/installd by yielding a
different hash value for comparison against /data/system/seapp_hash.
This change does not alter any actual app process or data directory
labeling decisions.  The seapp_contexts entries are sorted upon
loading by libselinux to match the precedence rules described
in the comment header, so ordering in this file should not matter.

This should not be merged before the code changes with the same Change-Id.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/



Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In the absence of any levelFrom= specifier, the default is none,
so this is unnecessary and conspicuous in contrast to all other
entries.  It came from switching our default of levelFrom=app
to levelFrom=none in AOSP rather than just dropping it.

Change-Id: Ia2f8c72200318ef66a1b6d6b6c117f8848441d7f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

In the process of taking a bugreport, "dumpstate -B" will instruct
zygote to fire up com.android.shell, which runs as UID=2000.
This transition was not included in seapp_contexts, so zygote
didn't know how to properly set the context for the shell user.

Add an entry to allow zygote to know what to do with UID=2000
requests.

Bug: 9588981
Change-Id: I2e726be8d58437ef1de3bcbad3b897a97ed18e22

In the process of taking a bugreport, "dumpstate -B" will instruct
zygote to fire up com.android.shell, which runs as UID=2000.
This transition was not included in seapp_contexts, so zygote
didn't know how to properly set the context for the shell user.

Add an entry to allow zygote to know what to do with UID=2000
requests.

Bug: 9588981
Change-Id: I2e726be8d58437ef1de3bcbad3b897a97ed18e22

Change-Id: I555361d732b8f1bdc90c231a3183a85526a5a558

Change-Id: Ib37b392cb6f6d3fb80852b9a2a6547ab86cd9bff
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I555361d732b8f1bdc90c231a3183a85526a5a558

Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to libselinux.

Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>