Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc

Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.

Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f

The removal of domain_deprecated from the shell user in
https://android-review.googlesource.com/184260 removed /proc/net access.
Restore it.

Bug: 26075092
Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895

Certain tests depend on the ability to examine directories
in /system. Allow it to the shell user.

Addresses the following denials:

  avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26020967
Bug: 26023420
Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14

Allow pulling the currently running SELinux policy for CTS.

Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516

domain_deprecated.

BUG: 25965160
Change-Id: I586d082ef5fe49079cb0c4056f8e7b34fae48c03

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

Allow the non-privileged adb shell user to run strace. Without
this patch, the command "strace /system/bin/ls" fails with the
following error:

  shell@android:/ $ strace /system/bin/ls
  strace: ptrace(PTRACE_TRACEME, ...): Permission denied
  +++ exited with 1 +++

Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee

For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

(cherry pick from commit 0d22c6ce)

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe

Change-Id: Ia279dfd11cc093e066bff66d7397dfe9e906aba8

avc: denied { read } for name="primary" dev="tmpfs" ino=3134 scontext=u:r:shell:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file

Change-Id: Id0ed2297a89054199fc73f27b18f717ae19c6778

Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it
from appdomain.

Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

dumpsys from shell results in many denials:
11-08 02:52:13.087   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.089   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.093   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.103   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.104   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.118   171   171 E SELinux : avc:  denied  { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
11-08 02:52:13.130   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.379   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.388   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.574   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.576   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 18799966
Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc

Grant shell read access to /proc taken away by
commit: 0d3f7ddc

Addresses the following denials encountered when running ps or top.

Bug: 18799966
Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.

Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f

Addresses the following denials:
avc:  denied  { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc:  denied  { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4

Shell domain needs to be able to access system_server_services, e.g.
when running the pm command. Addresses the following denials:

10-07 00:59:26.901   178   178 E SELinux : avc:  denied  { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
10-07 00:59:26.903   178   178 E SELinux : avc:  denied  { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73

Bug: 18485243

(cherry picked from commit fc6214bf)

Change-Id: I1b9e2705383bd0a3bae75b35906110e490f8785d

Bug: 18485243
Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e

As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>