Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Add a compile time assertion that capabilities other than setuid
and setgid are never granted to run-as.

This is a compile time assertion only. No new capabilities are granted
or removed.

Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

(cherry picked from commit dd8571aa)

Change-Id: I80bb26e06d932229c286f0389f28ad6868d79100

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

Change-Id: I68a7b804336a3d5776dcc31622f1279380282030

run-as won't communicate with shell via pipes. Allow it.

  nnk@nnk:~$ adb shell "cat /dev/zero | run-as com.google.foo sh -c 'cat'"
  /system/bin/sh: cat: <stdout>: Broken pipe

  <4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file

read is definitely needed. Not sure about write, but adding it just
in case.

(cherry picked from commit 6c9c5888)

Change-Id: Ifed6314588723063531982b45a56b902dfe32ea9

run-as won't communicate with shell via pipes. Allow it.

  nnk@nnk:~$ adb shell "cat /dev/zero | run-as com.google.foo sh -c 'cat'"
  /system/bin/sh: cat: <stdout>: Broken pipe

  <4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file

read is definitely needed. Not sure about write, but adding it just
in case.

Change-Id: Ifdf838b0df79a5f1e9559af57c2d1fdb8c41a201

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I4b3dda1d08e8bfc523493f4b8d79a4cc3e7e7787
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>