Change-Id: I093d7ecf48e9137b974047cd7d0fd2209792b748

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.

Bug: 18005561

Cherry-pick of commit: ef4fd306
with commit: 47c14611
squashed in.

Bug: 19191637
Change-Id: Id66cad549b7311a6bbd92fd64b6ec2c60d0433a4

* commit '87f3802a':
  appdomain: relax netlink_socket neverallow rule

Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f8)

Change-Id: I4763cb0c9510220693c506636dbb7584712b67e2

See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Cherry-pick of commit: 59906bf8
with build-fix from commit: 74bbf703
added manually.

Bug: 19191637

Change-Id: I1c18fa854b3c5f5e05d5dc42d9006c5fdacebdc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f8)

Bug: 19198997
Change-Id: Icfed1ee66f082df1117b090341f62981f01bc849

Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.

This reverts commit 9de62d6f.

Bug: 17471434
Bug: 18609318
Change-Id: I3086cb8a8d7142b1eadce622f7e87a4c3426b6bf

Addresses denials such as:
type=1400 : avc: denied { lock } for comm="PushCheckSendS" path="socket:[1834573]" dev="sockfs" ino=X scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=tcp_socket

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 2c759185)

Bug: 18730521
Change-Id: Ie68955c26ddedb3acd7b7aa18afbf8b35c2c2f78

Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)

Also removed duplicate permission (from domain) in untrusted_app

(cherry picked from commit c06ed8f7)

Bug: 18730865
Change-Id: I725d088d1d4a1256e3bfe49bc32796a54889f925

Bug: 18485243

(cherry picked from commit fc6214bf)

Change-Id: I1b9e2705383bd0a3bae75b35906110e490f8785d

Bug: 18642766

Change-Id: I97d6ab0b76b69d99dcc1928232c8961437e1e68c
Signed-off-by: Patrick Tjin <pattjin@google.com>

Bug: 18112269
Change-Id: I801a3ecb42a2636b15612ff19a55150d06786363

The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 18504118
Bug: 18340553
Change-Id: Ia9fac599befc3a3b6e5282be15ec8fd04bb23385

Dex2oat needs the ability to read from already open file descriptors
in /oem so that apps from that location can be installed. Allow it.

Addresses the following denials:

  avc: denied { read } for comm="dex2oat" path="/oem/app/TabletInfo.apk" dev="mmcblk0p12" ino=20 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/AskMe_android_one.apk" dev="mmcblk0p12" ino=14 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerRegulatoryInfo.apk" dev="mmcblk0p12" ino=19 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerLauncherProvider.apk" dev="mmcblk0p12" ino=18 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Amazon_Mobile_com.apk" dev="mmcblk0p12" ino=13 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerBookmarksProvider.apk" dev="mmcblk0p12" ino=17 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Hike.apk" dev="mmcblk0p12" ino=15 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/MiLive_embedded_IndiaGames_version4.0_android1.apk" dev="mmcblk0p12" ino=16 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0

Bug: 18539205
Change-Id: I92bd91c66befc5a1060dd189324b2c046bba0258

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561

Cherry-pick from: https://android-review.googlesource.com/#/c/111626/

Change-Id: I751a99feffe820308ec58514fdba4cdef184d964

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956

(cherry picked from commit c48971f6)

Change-Id: I24bc1b3405f60c9d4e16e5a995e987e54692b6aa

See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '6f201ddc':
  App: add permissions to read symlinks from dalvik cache.

Bug: 18035729
Change-Id: Ib60f9cd59a7a185ae99761ad29358a735ae2ad26

* commit '9f0af9ec':
  zygote/dex2oat: Grant additional symlink permissions

* commit 'b7934922':
  allow run-as to access /data/local/tmp

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729

(cherry picked from commit f7ccfd00)

Change-Id: I5dca27241f46f481515b96e968fb2bef7866c89b

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

(cherry picked from commit dd8571aa)

Change-Id: I80bb26e06d932229c286f0389f28ad6868d79100

* commit '7cd346a7':
  Allow recovery to create device nodes and modify rootfs

* commit '0055ea90':
  Allow recovery to create device nodes and modify rootfs

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

* commit '7adc8cfe':
  Allow adbd to write to /data/adb

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877db)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f

They need to see when it changes so they know when netd bounces.

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62

* commit '2d1650f4':
  allow system_server to set kernel scheduling priority

Addresses the following denial:

  avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855

* commit '683ac49d':
  recovery: allow changing unlabeled symbolic links

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c