Broke the dragon build:

libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

This reverts commit ed0b4eb3.

Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd

By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.

Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.

  $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
  allow init device:chr_file { setattr read lock getattr write ioctl open append };
  allow ueventd device:chr_file { read lock getattr write ioctl open append };

this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):

  neverallow { domain -init -ueventd } device:chr_file { open read write };

Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.

Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.

The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.

While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.

Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0

Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f

In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf

urandom_device and random_device have the exact same security
properties. Collapse them into one type.

Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41

The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.

It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).

Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5

Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536

This property is never used.

Test: policy compiles
Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a

The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83

The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.

A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.

This reverts commit ec3285cd.

(cherrypicked from commit 863ce3e7)

Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d

Addresses the following auditallow spam:

avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a

Bug: 32290392
Test: Builds.
Change-Id: I46e8af202b41131cfc9bb280f04a214859c9b0de

Fixes the following SELinux messages when running adb bugreport:

avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

[  169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a

Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88

Change-Id: I07d188e4dd8801a539db1e9f3edf82a1d662648e
(cherry picked from commit 61a082a55dbc2798d50d0d4b766151d69334729a)

(cherry picked from commit eb717421)

The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.

Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.

Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b

(cherry picked from commit ec4b9d67)

Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.

This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.

Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb

(cherry picked from commit d3edd6b5)

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

Bluetooth is sometimes started from init.

Addresses the following compiler error:

  libsepol.report_failure: neverallow on line 489 of
  system/sepolicy/domain.te (or line 9149 of policy.conf) violated by
  allow init bluetooth:process { transition };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy

(cherry-picked from commit 7e380216)

Change-Id: I2bc1e15217892e1ba2a62c9683af0f3c0aa16b86

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a

Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

The commit: d41ad551
fixes a race in coldboot. However, introduced a seperate
bug where existing character files were being relabeled.

The fix was to have ueventd ensure their was a delta between
the old and new labels and only then call lsetfilecon(). To
do this we call lgetfilecon() which calls lgetxattr(), this
requires getattr permissions.

This patch is void of any relabelfrom/to for ueventd on chr_file
as those can be added as they occur.

Bug: 29106809

Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable rules to allow shell to getattr on all block files
for checking modes under /dev/block.

Exempt shell from any neverallows on blk_file and limit them
to only getattr.

bug: 28306036
Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Enable shell to have access to /dev for running the
world accessable mode test on /dev.

This approach adds shell to the list of excluded domains
on neverallows around chr_files, but locks down the access
for shell to only getattr.

It was done this lightly more complicated way to prevent
loosening the allow rules so that any domain would have
getattr permissions.

Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Signed-off-by: Mihai Serban <mihai.serban@intel.com>

(cherry picked from commit d41ad551)

Change-Id: I26838a3a9bc19b341e7176e5dc614827232014bf

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507

(cherry picked from commit 50ba6318)

Change-Id: Ifab6e46a077a87629b4d3c7ada1050f2ab6931d5

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876

(cherry picked from commit 2c7a5f26)

Change-Id: I40c80fa62651a0135e1f07a5e07d2ef65ba04139

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Change-Id: Ic836309527a2b81accc50df38bd753d54fa5e318
Signed-off-by: Mihai Serban <mihai.serban@intel.com>

This directory is no longer used.

Change-Id: Ic32a7dd160b23ef8d1d4ffe3f7b1af56c973d73c

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507
Change-Id: Iaa83e3ac543b2221e1178c563e18298305de6da2

(cherrypicked from commit 45737b9f)

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

Restrict the ability of the shell to set the log.*
properties. Namely: only allow the shell to set
such properities on eng and userdebug builds.

The shell (and other domains) can continue to
read log.* properties on all builds.

While there: harmonize permissions for log.* and
persist.log.tag. Doing so introduces two changes:
- log.* is now writable from from |system_app|. This
  mirrors the behavior of persist.log.tag, which is
  writable to support "Developer options" ->
  "Logger buffer sizes" -> "Off".
  (Since this option is visible on user builds, the
  permission is enabled for all builds.)
- persist.log.tag can now be set from |shell| on
  userdebug_or_eng().

BUG=28221972
TEST=manual (see below)

Testing details
- user build (log.tag)
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag
  <blank line>
  $ adb bugreport | grep log.tag.foo
  [  146.525836] init: avc:  denied  { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0
  [  146.525878] init: sys_prop: permission denied uid:2000  name:log.tag.foo
- userdebug build (log.tag)
  $ adb shell getprop log.tag.foo
  <blank line>
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag.foo
  V
- user build (persist.log.tag)
  $ adb shell getprop | grep log.tag
  <no match>
  - Developer options -> Logger buffer sizes -> Off
  $ adb shell getprop | grep log.tag
  [persist.log.tag]: [Settings]
  [persist.log.tag.snet_event_log]: [I]

Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75

Doesn't appear to be needed anymore.

Change-Id: I7a1fcf4c17fa69c313daebb87c9b0bf654169ee0

Bug: 27549740
Change-Id: I3f646984fbd9cbcb58636d158a9ac0afc5a930ce