This reverts commit b5594c27.

Bug: 27239233
Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2

This reverts commit 54457959.

Change-Id: Idfa0254e66f9517cc26af3c37441b47cbb984bca

neverallow access to other domains.

Bug: 27239233
Change-Id: I503d1be7308d0229db1cbe52cd511f7f40afa987

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Deal with a few audit failures

Bug: 24200279
Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895

Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Init is now responsible for creating /data/anr, so it's
unnecessary to grant system_server and dumpstate permissions
to relabel this directory. Remove the excess permissions.

Leave system_data_file relabelfrom, since it's possible we're
still using it somewhere.

See commits:
  https://android-review.googlesource.com/161650
  https://android-review.googlesource.com/161477
  https://android-review.googlesource.com/161638

Bug: 22385254
Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.

Addresses the following denial:

  avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir

Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8

This fixes the following policy violation:
avc: denied { read } pid=30295 comm="app_process"
tcontext=u:object_r:dalvikcache_data_file:s0
scontext=u:r:dumpstate:s0 tclass=lnk_file
permissive=0 ppid=26813 pcomm="dumpstate"
pgid=26813 pgcomm="dumpstate"

See 0e32726 in app.te for a symmetrical
change.

Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb

On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.

Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.

Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Addresses the following denials:
avc:  denied  { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc:  denied  { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

dumpstate and lmkd need to act on apps running at any level.

Various file types need to be writable by apps running at any
level.

Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.

Bug: 17487122

(cherry picked from commit 04f3d790)

Change-Id: Ib7835ffac1811a5aef54a250689287c1666720ef

On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.

Bug: 17487122
Change-Id: Ica78aa54e5abbb051924166c6808b79b516274fe

The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.

Resolves denials such as:
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd

Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7

Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc205)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0

Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32