When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376

Whether a device is full Treble or not, omx should be able to
access vndbinder

Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e

Bug:  37713584
Test: With GtsMediaTestCases.apk installed, try:
      adb shell am instrument -w
      -e class 'com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC'
      'com.google.android.media.gts/android.support.test.runner.AndroidJUnitRunner'

Change-Id: Icc2066e9d9bbc5c020b6d694e9627487771ef35e

The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit ad41fa8d)

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

Test: gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC

bug:37548390
Change-Id: I9c2d446118d3a5f729730b75ec117954e383159b

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260

Allow the services to do binder calls to system_server in order to check
for app permissions.

Bug: 37542947
Test: Compiled and ran on device ensuring no permission errors
Change-Id: If91895607eb118f689cf2e11c63945e9f83bf2a0

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 37152880
Bug: 37554633
Test: adb shell am hang --allow-restart
Test: adb shell dumpstate
Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295

This lets dumpstate obtain the list of currently registered HwBinder
services.

Test: adb bugreport -- no denials to do with dumpstate access to
      hwservicemanager list functionality.
Bug: 37554633

Change-Id: I95512168948ca45a0dd830c20922e3c776ffaf41

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31

Fixes warning:
system/sepolicy/public/install_recovery.te:14:WARNING 'unrecognized character' at token ''' on line 13335:
allow install_recovery vendor_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };'

Bug: 37105075
Test: Fugu policy builds without this warning.
Change-Id: I8f417c51a816f3983a918c7e36dd804c5b85543f

Currently ro.device_owner and persist.logd.security aren't accessible
without root, so "adb shell getprop" returns empty reply which is
confusing. Also these properties aren't seen from bugreport unless
their change happened recently.

Bug: 37053313
Test: manual, took bugreport and ran getprop after "adb unroot".
Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d

installd needs to check whether idmap is outdated or not compared to
vendor overlay file.

Test: building succeeded and tested on sailfish.
Bug: 37179531
Change-Id: I934c1ae39e3f806bca1e3d68cf8190addeebb499

Bug: 37542947
Test: Compiled and ran on device to ensure no access errors while in VR
Change-Id: Ia685676d82f1f10f2bd371a13879d00fe63a9ea6

This fixes

avc: denied { call } for comm="screencap" scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_graphics_allocator_default:s0 tclass=binder
  permissive=0

Bug: 37360953
Test: adb shell dumpstate -p -o <path>
Change-Id: Ia9387559e3ec1ba51b614bb9d24294fbbbd51b1a

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>

The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

(cherry-picked from commit 1103f963)

Change-Id: I3cf810ef5f4f4462f6082dc30d3a7b144dcce0d9

hal_client_domain no longer allows read dir permission, in order
to load .so from /system/lib, we have to add this permission ourselves.

bug: 37476803
Change-Id: I1711d158c2f4580f50ac244da10c489df003cc18

Permit mediaextractor its own file source for apk and ringtone files.

Previously we fall back to the mediaserver file source.
This does not affect behavior as the fallback works fine; however,
the log messages may cause confusion.

    [73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read }
    for pid=18381 comm="generic"
    path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35"
    ino=2490374 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
    [73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read }
    for pid=18383 comm="generic"
    path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35"
    ino=2490376 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0

Test: Ringtone and CTS
Bug: 37500781

Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371

Bug: 36604251
Test: Netflix protected content, Play movies
Change-Id: I5c2c542007abddbe56b933ff44d65bd376b6691e

The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829

Test: WIP
Change-Id: I678b0d0e9750b25628b86060574fd516d3749cdf

Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish

Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
          --skip-device-info --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a

Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi

Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
(cherry picked from commit b4e4565d)

Change-Id: I46b14babd47168e87c0d30ec06281aaa237563bf

This change disables /dev/binder access to and by mediacodec on
full-Treble devices.

b/36604251 OMX HAL (aka mediacodec) uses Binder and even exposes a
	   Binder service

Test: marlin
Change-Id: I1e30a6c56950728f36351c41b2859221753fd91a
Signed-off-by: Iliyan Malchev <malchev@google.com>

Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8