Change-Id: If311f53b9e5a1020f188ae2346dbf6466e6129ac

Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd

external/sepolicy commit 99940d1a
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

Resubmission of commit: 76f3fe33

Removed conflicting rule from unconfined domain.

Change-Id: I3e6da8922ebf636f1cd8ceefea4291d043a28ab7

Fix build due to goldfish neverallow conflicts.

This reverts commit 76f3fe33.

Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

(cherrypick, with modifications, from 0055ea90)

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88

(cherrypick of commit d7e004eb)

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba

With the sepolicy-analyze neverallow checking, attribute
expansion is performed against the device policy and therefore
we do not want our neverallow rules to exempt domains from
consideration based on an attribute (e.g. -unconfineddomain).
Otherwise, device policy could pass the neverallow check just
by adding more domains to unconfineddomain.  We could of course
add a CTS test to check the list of unconfineddomains against
a whitelist, but it seems desirable regardless to narrow these
neverallow rules to only the specific domains required.

There are three such neverallow rules in current policy: one
on creating unlabeled files, one on accessing /dev/hw_random, and
one on accessing a character device without a specific type.  The
only domain in unconfineddomain that appears to have a legitimate
need for any of these permissions is the init domain.  Replace
-unconfineddomain with -init in these neverallow rules, exclude these
permissions from unconfineddomain, and add these permissions to init if
not already explicitly allowed.  auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.

Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Now that we have assigned specific types to userdata and cache
block devices, we can remove the ability of fsck to run on other
block devices.

Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.

Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.

These types must be assigned to specific block device nodes
via device-specific policy.  This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.

This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.

Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501

(cherry picked from commit 2de02877)

Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

(cherrypick of commit 47bd7300)

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

The kernel driver has been deprecated by the new userspace
driver. Don't continue to allow access to the old driver.

Maintain the labeling on /dev/log/* for now, just in case.

Bug: 13505761
Change-Id: Ibf8ef3af6274ede4262aada9222eaf63f63307b4

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

Add a neverallow rule (compile time assertion) that no SELinux domain
other than init can set default_prop. default_prop is assigned to a
property when no more specific label exists for that property.

This ensures that all properties are labeled properly, and that
no-one (other than init) gets access to unknown properties.

Change-Id: If279960f23737e263d4d1b5face7b5c49cda7ae7

Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.

This change expands on commit a730e50b,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.

Change-Id: I12547a75cf68517d54784873846bdadcb60c5112

Do not auditallow dumpstate as it is the only instance
of listing services seen so far.

Change-Id: I1c142cf5a3a745ea64b22f3a14b8395b24f2e1d0

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 4644ac48)

Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.

Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396

Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

(cherry picked from commit 3508d611)

Change-Id: I5efa1f2040fc40df1df44ed1b8e84b6080cb8f74

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5

Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156

This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow.  This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.

Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add neverallow rules to prohibit adding any transitions into
the kernel or init domains.  Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts.  This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.

Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time.  The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).

Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow.  This ensures that the no write to /system
restriction cannot be bypassed via context= mount.

Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>