When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2

installd needs to check whether idmap is outdated or not compared to
vendor overlay file.

Test: building succeeded and tested on sailfish.
Bug: 37179531
Change-Id: I934c1ae39e3f806bca1e3d68cf8190addeebb499

The change makes 'vendor_app_file' accessible only to few platform
domains like dex2oat, idmap, installd, system_server and appdomain.

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b
Signed-off-by: Sandeep Patil <sspatil@google.com>

seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

When clearing cache, installd should be able to search for and delete
files in /data/preloads/file_cache

Test: Manually trigger installd freeCache
Bug: 31008665
Change-Id: I4c345cc8b0f7a6a8702a55f4720d21283c9d502a

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28

Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

avc: denied { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot-core-libart.oat" dev="sda35" ino=1581062 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=lnk_file permissive=0

Test: builds, boots, quota stats match manual stats
Bug: 27948817
Change-Id: I65fb581a4732e03c46ac705f6693080c5f3be184

To support upcoming disk usage calculation optimizations, this change
grants installd access to work with filesystem quotas.

avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1
avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1

Test: builds
Bug: 27948817
Change-Id: Ic166e8ced30e15ce84223576729888a824037691

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.

Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.

Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7

Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536

Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app

Addresses the following auditallow spam:

avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

(cherry picked from commit d47c1e93)

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

This reverts commit 9c820a11.

Bug: 31364540
Change-Id: I98a34bd32dd835e6795d31a90f16f4ccd691e6e5

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

Grant installd the policies to recursively delete
the foreign-dex folder when removing a user. Otherwise
the user cleanup will partially fail and cause a boot loop
when the userId is reused as some later point.

Bug: 29285673
Change-Id: I023f150cffbeb10b6014f48bca9eb0922c2d630a

Grant permissions observed.

Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Installd uses cp when relocating apps to sdcard.

avc: denied { execute } for name="toybox" dev="mmcblk0p10" ino=315 scontext=u:r:installd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Bug: 24617685
Change-Id: Id1a3039bbfc187c074aa50d426278964c40e4bde

Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.

zygote also needs to run idmap.  For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote.  zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.

Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.

Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

avc: denied { getattr } for path="/mnt/expand" dev="tmpfs" ino=3146 scontext=u:r:installd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0

Bug: 21856349
Change-Id: Ib9984182a71408d5cb803d453f148856b68569e3

Needed for split app installs, where we link existing apks and
compiled output to the stage location.

bug: 20889739

Change-Id: I610dc5b12cb46b03894002d60db7c06412d12cab

As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

(Cherry-pick of 8f821db7)

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458

As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458