android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.

Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4

android.process.media needs access to mtp_usb when MTP is enabled.

Bug: 25074672
Change-Id: Ic48a3ba8e4395104b0b957f7a9bad69f0e5ee38e

Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d

Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835

avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496

avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a

neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d

gmscore uses cache for updates

Bug: 24977552
Change-Id: I45a713fcfc70b71a2de712e77b64fb9feab67dd7

Bug: 24866874

(cherry picked from commit 33a779fe)

Change-Id: I0a9d4a30859b384cb3621c80568ef9da06ad44f6

Allow the non-privileged adb shell user to run strace. Without
this patch, the command "strace /system/bin/ls" fails with the
following error:

  shell@android:/ $ strace /system/bin/ls
  strace: ptrace(PTRACE_TRACEME, ...): Permission denied
  +++ exited with 1 +++

Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee

Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.

Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

23cde877 removed JIT capabilities
from system_server for user and userdebug builds. Remove the capability
from eng builds to be consistent across build types.

Add a neverallow rule (compile time assertion + CTS test) to verify
this doesn't regress on our devices or partner devices.

Bug: 23468805
Bug: 24915206
Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b

Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.

Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.

To prevent this, we add a neverallow.

Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Remove ptrace from app.te, and only add it to the app domains
which explicitly require it.

Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16

To prevent assigning non property types to properties, introduce
a neverallow to prevent non property_type types from being  set.

Change-Id: Iba9b5988fe0b6fca4a79ca1d467ec50539479fd5
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Address the following denial:
  SELinux  E  avc:  denied  { find } for service=drm.drmManager scontext=u:r:bluetooth:s0 tcontext=u:object_r:drmserver_service:s0

This denial is triggered by Bluetooth when MmsFileProvider.java is
using the PduPersister which in turn is using DRM.

Change-Id: I4c077635f8afa39e6bc5e10178c3a7ae3cb6a9ea

Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.

Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16

Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a

vold hasn't use the generic "block_device" label since
commit 273d7ea4 (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9

* commit 'b01a18b9':
  grant installd rx perms on toybox

Installd uses cp when relocating apps to sdcard.

avc: denied { execute } for name="toybox" dev="mmcblk0p10" ino=315 scontext=u:r:installd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Bug: 24617685
Change-Id: Id1a3039bbfc187c074aa50d426278964c40e4bde

* commit '7fc865a4':
  service_contexts: don't delete intermediate on failure

* commit 'dcffd2b4':
  property_contexts: don't delete intermediate on failure

* commit '9eb6c874':
  Revert "property_contexts: don't delete intermediate on failure"

* commit 'efcaecab':
  Revert "service_contexts: don't delete intermediate on failure"

* commit '23c42c38':
  service_contexts: don't delete intermediate on failure

* commit 'e6e94762':
  property_contexts: don't delete intermediate on failure

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>