Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f

Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.

Addresses the following denial:

  type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0

Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39

Ensure that AT_SECURE=1 is set when installd executes dex2oat.

LD_PRELOAD is no longer set by init, and installd couldn't see
LD_PRELOAD anyway due to https://android-review.googlesource.com/129971 .
Drop it.

Continuation of commit b00a0379

Change-Id: Icaf08768b3354c6a99dd0f77fef547a706cc96e9

Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4

The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

(cherrypick from commit e2547c3b)

Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8

Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470

With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.

Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd

Right now, the system_server has the CAP_SYS_MODULE capability.  This allows the
system server to install kernel modules.  Effectively, system_server is one
kernel module load away from full root access.

Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.

In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.

Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3

isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.

Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01

Allow init to

 1. Access device mapper to set up dm-verity devices

    avc:  denied  { write } for  pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0

 2. Access the metadata partition to load and store dm-verity state

    avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0

 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
    by dm-verity

    avc:  denied  { getattr } for  pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0

These can be reproduced using the following steps:

 1. Add fs_mgr flag verify to the system partition in fstab

 2. Add a device specific init.rc handler for the init action that
    calls the built-in command verity_load_state.

Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba

This reverts commit 27042f6d.

Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager.  This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.

Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32

Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d

No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07

As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.

Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447

Bug: 19050686
Change-Id: Ie41c3e4d5aaeb43577ba85a4768a5fdbdd665efb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.

Addresses the following denial:

  type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

TODO: Add device specific labels for the boot image.

Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa

Addresses the following denial encountered when sharing photos between personal
and managed profiles:

Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0

Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5

When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41

Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.

This reverts commit 47cd53a5.

Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da

STEPS TO REPRODUCE:
  1. Connect the device to Mac.
  2. Switch to AFT.
  3. Now AFT on Mac will show the device contents.
  4. Now drag and drop the file to device and observe.

EXPECTED RESULTS:
  Should able to copy.

OBSERVED RESULTS:
  Showing can not copy file and on clicking ok,
  It shows device storage can not connect and close the AFT.

Addresses the following denial:

  W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd
  12310 12530 E MtpRequestPacket: Malformed MTP request packet

ps -Z entry:
  u:r:untrusted_app:s0:c512,c768 u0_a6     12310 203   android.process.media

Bug: 15835289
Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a

clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
capable(CAP_IPC_LOCK), and then checks to see the requested amount is
under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
does not need CAP_IPC_LOCK, so we suppress any denials we see
from clatd asking for this capability.
See https://android-review.googlesource.com/127940

Suppresses the following denial:
  type=1400 audit(1424916750.163:7): avc: denied { ipc_lock } for pid=3458 comm="clatd" capability=14 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

Change-Id: Ica108f66010dfc6a5431efa0b4e58f6a784672d1

Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0

Vold opens ASEC containsers on the sdcard, or OBB files from app's
home directories, both of which are supplied by vold. We need to
allow kernel threads to access those file descriptors.

Addresses the following denial:

  loop0   : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0

Bug: 19516891
Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d

Change-Id: Icfa4b2cac6a960ef47e928308e4c6c9bd797d180
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

Addresses the following auditallow messages:

  avc: granted { find } for service=accessibility scontext=u:r:su:s0 tcontext=u:object_r:accessibility_service:s0 tclass=service_manager
  avc: granted { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager
  avc: granted { find } for service=package scontext=u:r:su:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager
  avc: granted { find } for service=user scontext=u:r:su:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager
  avc: granted { find } for service=window scontext=u:r:su:s0 tcontext=u:object_r:window_service:s0 tclass=service_manager

Change-Id: Ie58ad3347e9ef1aacd39670cfec7d095875e237b

Addresses post-review comment in
https://android-review.googlesource.com/130620

Change-Id: I427ba99d63724eb526d41da47b95cc0ae038acdd