Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35

Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

allow reading symlinks in /data and getattr in /system

Change-Id: I8cc9ca056725cf10ebfeef474ebf9c80c5300a73

libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
   allow domain selinuxfs:filesystem getattr;

domain is already granted:
   allow domain self:dir r_dir_perms;
   allow domain self:lnk_file r_file_perms;
   allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
   allow domain proc:dir search;

Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

Move to domain_deprecated

Bug: 25433265
Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.

2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.

Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.

Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.

To prevent this, we add a neverallow.

Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

To prevent assigning non property types to properties, introduce
a neverallow to prevent non property_type types from being  set.

Change-Id: Iba9b5988fe0b6fca4a79ca1d467ec50539479fd5
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.

Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a

vold hasn't use the generic "block_device" label since
commit 273d7ea4 (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9

For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Revert the neverallow change portion of
356df327, in case others need to
do dynamic policy updates.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8

Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:

  https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8

Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe

https://android-review.googlesource.com/166419 changed the handling
of non-interactive adb shells to use a socket instead of a PTY.
When the stdin/stdout/stderr socket is received by /system/bin/sh,
the code runs isatty() (ioctl TCGETS) to determine how to handle the
file descriptor. This is denied by SELinux.

Allow it for all domains.

Addresses the following denial:

  avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

TODO: When kernels are publicly available which support SELinux ioctl
filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls.

Bug: 21215503
Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898

In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25ef, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9

Revert the neverallow change portion of
356df327, in case others need to
do dynamic policy updates.

Bug: 22885422
Bug: 8949824
Change-Id: If2c13d112b346db5c011a6a61bc4486b43d46d61

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: Id98b5e09d79254816d920b92003efe8dcbe6cd2e

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac

Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57

Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

(cherry-pick of commit: 2b0b8299)

Bug: 20755029
Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0

Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 20755029
Change-Id: I0268eb00e0eb43feb2d5bca1723b87b7a44f31a9

To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I2aef01ba72cae028d5e05deddbdeff674f9a534d

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Mako is dead. Long live mako.

Bug: 21924438
Change-Id: I5413566df8f2744df7822eb1715f40958b8ad43e

To reduce the likelihood of malicious symlink attacks, neverallow
read access to shell- and app-writable symlinks.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 9d439d3d)

Bug: 21924438
Change-Id: Icf1ccca71ef4395de8be8503359f76f89cc9e1a5

To reduce the likelihood of malicious symlink attacks, neverallow
read access to shell- and app-writable symlinks.

Change-Id: I0dea1e6e4f0ce34531100696d230294e1b8a5500
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
(cherry picked from commit d1fa4d3d)

Bug: 21924438
Change-Id: I013143cc5ab1e95bf3f7388ce51619e0e3b18425