As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.

Maybe indirectly fixes the following SELinux denial:

  sdcard  : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b

Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7

Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee

b/16324360

Change-Id: If79f293a547deef570a80a5569ff8eb973ce29be

Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 4644ac48)

Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621

Addresses the denial in charger mode:
[   17.993733] type=1400 audit(1405412231.119:4): avc:  denied  { search } for  pid=123 comm="charger" name="/" dev="pstore" ino=10287 scontext=u:r:healthd:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=0

(cherry picked from commit bb96bffc)

Change-Id: I2dde6adc3ff99df99409d4da3ef32c3987228801

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc205)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea3)

Change-Id: I25354db2add3135335c80be2c2d350e526137572

Add com.android.net.IProxyService as a system_server_service
to service_contexts.

Bug: 16369427

(cherry picked from commit 26d6371c)

Change-Id: I3e58681971683bdc7f26a1d130c8bcf8ffcb89e2

https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

(cherry picked from commit 8a5b28d2)

Change-Id: I39baaf62058986d35ad43de708aaa3daf93b2df4

Change-Id: I66a88b5dafc295e6daa9f4c0225aa593c97fe187

dex2oat fails when upgrading unlabeled asec containers.

Steps to reproduce:

1) Install a forward locked app on Android 4.1
  adb install -l foo.apk
2) Upgrade to tip-of-tree

Addresses the following denial:

  <4>[  379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

(cherry picked from commit 270be6e8)

Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137

addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289

(cherry picked from commit 6a1405d7)

Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466

Define the service context for "webviewupdate", a new service that will
run in the system server.

Bug: 13005501
Change-Id: I841437c59b362fda88d130be2f2871aef87d9231

dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:

  type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

Steps to reproduce:

  $ adb install -r -l SimpleJNI.apk

Expected:

  app installs

Actual:

  app fails to install.

Bug: 16328233

(cherry picked from commit 5259c5e6)

Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f

Change untrusted_app to not auditallow radio_service find requests
to cut down on log spam.

(cherry picked from commit af8d7ca9)

Change-Id: Ibfcc1abe927b6114af5a3a82188bf9f1e009d7f7

Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

(cherry picked from commit 53297318)

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d

Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4

Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e

Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87

* commit '2f91ce55':

* commit '1c7463ac':

* commit 'ddfaf822':

* commit '554a8a3d':

* commit 'e4409728':
  Allow netd to create data files in /data/misc/net/.

* commit 'd27aeb21':
  recovery: allow read access to fuse filesystem

* commit 'd86b0a81':
  New domain "install_recovery"

* commit 'e900e573':
  Rules to allow installing package directories.

Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45

* commit 'a2933b66':
  install_recovery: start enforcing SELinux rules