When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Mediaserver no longer appears, and maybe never did, need write
permission to sysfs files.
commit: 1de9c492 added auditing to
make sure this is the case, and such access has not been observed.
Remove the permissions and the associated auditallow rule to further
confine the mediaserver sandbox.

Bug: 22827371
Change-Id: I44ca1521b9791db027300aa84e54c074845aa735

For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a

The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6

Change-Id: I0c17b4e36a14afd24763343c09eaca650ea4cefd

adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.

Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4

Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687
Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

Bug: http://b/23814810
Change-Id: I731bd70ec982e47b86befb32a9edcb71570e9d64

Remove system server's permission to dynamically update SELinux
policy on the device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: I3c64d64359060561102e1587531836b69cfeef00

This permission appears to be unnecessary on some (most?) devices such
as the Nexus 5. It should be moved to the device policy if it's truly
required by the driver.

Change-Id: I531dc82ba9030b805db2b596e145be2afb324492

All non matching apps will simply receive the seinfo
label of "default" implicitly. No need to further
clarify things anymore with an explicit default stanza.

Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Toolbox is definitely used from install_recovery. Addresses
the following denials:

  type=1400 audit(0.0:7): avc: granted { execute } for comm="install-recover" name="toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:6): avc: granted { getattr } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:13): avc: granted { read } for comm="log" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:9): avc: granted { read open } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: I51d6e474f34afe1f33ea8294a344aa71e41deead

Apply the same sepolicy used on dhcpcd to dhcpcd-6.8.2,
which is have it run with the dhcp context, and have its
data files possess the dhcp_data_file context.

BUG: 22956197
Change-Id: I7915b694038bb309d93691ef5d4d293593ef3b5e

Addresses the following denial:

  avc:  denied  { list } for service=NULL scontext=u:r:su:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Change-Id: I70449b93307378481c986a60ca593eb2fc2de2c5

Since ram devices are labeled in base contexts, also add a label
for devices using zram.

Change-Id: I002baebf40246e78c6f9fb367ac6fb019101cc86
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Revert the neverallow change portion of
356df327, in case others need to
do dynamic policy updates.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8

On user and userdebug builds, system_server only loads executable
content from /data/dalvik_cache and /system. JITing for system_server
is only supported on eng builds. Remove the rules for user and
userdebug builds.

Going forward, the plan of record is that system_server will never
use JIT functionality, instead using dex2oat or interpreted mode.

Inspired by https://android-review.googlesource.com/98944

Change-Id: I54515acaae4792085869b89f0d21b87c66137510

Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:

  https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8

Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe

https://android-review.googlesource.com/166419 changed the handling
of non-interactive adb shells to use a socket instead of a PTY.
When the stdin/stdout/stderr socket is received by /system/bin/sh,
the code runs isatty() (ioctl TCGETS) to determine how to handle the
file descriptor. This is denied by SELinux.

Allow it for all domains.

Addresses the following denial:

  avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

TODO: When kernels are publicly available which support SELinux ioctl
filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls.

Bug: 21215503
Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898

In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25ef, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9

Change-Id: Ic70a1208b67fe3961871cdeb39369c2ed3e0ce28
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Some of the ALL_*_FILES variables remained that were used
in a way that could not be cleared. Move them to lower
case variants and use a build recipe PRIVATE_*_FILES variable.
This avoids polluting the global namespace.

Change-Id: I83748dab48141af7d3f10ad27fc9319eaf90b970
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Init is now responsible for creating /data/anr, so it's
unnecessary to grant system_server and dumpstate permissions
to relabel this directory. Remove the excess permissions.

Leave system_data_file relabelfrom, since it's possible we're
still using it somewhere.

See commits:
  https://android-review.googlesource.com/161650
  https://android-review.googlesource.com/161477
  https://android-review.googlesource.com/161638

Bug: 22385254
Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9

Extend checkfc to support comparing two file_contexts or
file_contexts.bin files.  This is for use by the CTS
SELinuxHostTest to compare the AOSP general_file_contexts
with the device file_contexts.bin file.

Depends on I0fe63e0c7f11ae067b5aac2f468f7842e5d76986.

Change-Id: I2fff2f8cf87690a76219ddf4cf38939650f34782
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

The device-independent code only needs read access to sysfs, and this
appears to be enough for at least some devices (Nexus 5).

Bug: 22827371
Change-Id: I3b7b068e98f11f9133f0bdea8ece363e4bd89ae8