The commit: d41ad551
fixes a race in coldboot. However, introduced a seperate
bug where existing character files were being relabeled.

The fix was to have ueventd ensure their was a delta between
the old and new labels and only then call lsetfilecon(). To
do this we call lgetfilecon() which calls lgetxattr(), this
requires getattr permissions.

This patch is void of any relabelfrom/to for ueventd on chr_file
as those can be added as they occur.

Bug: 29106809

Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable rules to allow shell to getattr on all block files
for checking modes under /dev/block.

Exempt shell from any neverallows on blk_file and limit them
to only getattr.

bug: 28306036
Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable shell to have access to /dev for running the
world accessable mode test on /dev.

This approach adds shell to the list of excluded domains
on neverallows around chr_files, but locks down the access
for shell to only getattr.

It was done this lightly more complicated way to prevent
loosening the allow rules so that any domain would have
getattr permissions.

Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Change-Id: Ic836309527a2b81accc50df38bd753d54fa5e318
Signed-off-by: Mihai Serban <mihai.serban@intel.com>

This directory is no longer used.

Change-Id: Ic32a7dd160b23ef8d1d4ffe3f7b1af56c973d73c

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2

(cherrypicked from commit 45737b9f)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876
Change-Id: I05d4ee025bb8a5e6a1a9237fefaa2b1c646e332c

This does not appear needed anymore.

Change-Id: I3128ab610c742b18008f4cfc2a7116b210f770e7

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Prevent direct opens into the system_app sandbox.

Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479

03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely.  Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.

Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4

Currently, uncrypt has write access to "block_device". This is
the generic label used for a file in /dev/block which doesn't
have a more specific label assigned to it.

This is an overly broad grant. Commit a10f789d
started the process of deprecating "block_device" access in favor
of "misc_block_device".

This change completes the deprecation and removes the overly
broad grant. Also update the neverallow rules so that
this overly broad rule cannot be reintroduced into uncrypt.

Bug: 25091603
Change-Id: Ifc5fa412db2f95726ae89c32c577a6659885ae55

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc.  Many processes try
to read proc dirs, though.  Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

Bug: 26976972
Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53

r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f

Domain is already allowed to stat selinuxfs, it also needs
dir search.

Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07

Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38

Address the following denials:
01-21 12:44:53.704  4595  4595 W ndroid.calendar: type=1400 audit(0.0:21): avc: denied { getattr } for name="/" dev="dm-0" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
01-21 12:45:23.177  5544  5544 W roid.music:main: type=1400 audit(0.0:46): avc: denied { getattr } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
7618 W .android.chrome: type=1400 audit(0.0:413): avc: denied { getattr } for path="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0

01-21 12:44:53.709  4595  4595 D AndroidRuntime: Shutting down VM
01-21 12:44:53.727  4595  4595 E AndroidRuntime: FATAL EXCEPTION: main
01-21 12:44:53.727  4595  4595 E AndroidRuntime: Process: com.google.android.calendar, PID: 4595
01-21 12:44:53.727  4595  4595 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider com.google.android.syncadapters.calendar.timely.TimelyProvider: java.lang.IllegalArgumentException: Invalid path: /data
01-21 12:44:53.727  4595  4595 E AndroidRuntime: 	at android.app.ActivityThread.installProvider(ActivityThread.java:5550)
...

Change-Id: I0e9d65438d031e19c9abc5dca8969ed4356437a0

Address the following denial:
avc: denied { read } for name="battery" dev="sysfs" ino=17945 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Bug: 26219114
Change-Id: I862b40a6514bffaa455dd7f06368acf9bcdc4782

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

The new rules are used to allow to mount FUSE file system for priv-app.

Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52

Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d2245 restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec

Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35

Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

allow reading symlinks in /data and getattr in /system

Change-Id: I8cc9ca056725cf10ebfeef474ebf9c80c5300a73