Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 35e308cf)

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

(preemptive cherry-pick of commit: 2f1c7ba7
to avoid merge conflict)

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc

For example, for listing vndbinder services
using 'adb shell service -v list'

Test: adb shell service -v list
Bug: 36987120
Change-Id: Ibf3050710720ae4c920bc4807c9a90ba43717f3b

Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea0)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Postinstall testing requires to mount a filesystem and relabel its
files to postinstall_file. While this task will normally be performed
by the update_engine daemon running in a domain of the same name, we
also test this workflow with sample images from /data/nativetest in
eng builds.

This hides the log messages from the 'su' context when mounting and
relabeling a filesystem onto the postinstall mountpoint.

Bug: 27272144
Bug: 26955860
TEST=m; update_engine_unittests pass Postinstall tests.

Change-Id: Id39aa1afdc11a6f59434873e68a53cbcb6ae363f

su is in permissive all the time. We don't want SELinux log
spam from this domain.

Addresses the following logspam:

  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0

The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".

Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.

Addresses the following denials:

  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1

Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Addresses the following denial:

  avc:  denied  { list } for service=NULL scontext=u:r:su:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Change-Id: I70449b93307378481c986a60ca593eb2fc2de2c5

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

Addresses the following auditallow messages:

  avc: granted { find } for service=accessibility scontext=u:r:su:s0 tcontext=u:object_r:accessibility_service:s0 tclass=service_manager
  avc: granted { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager
  avc: granted { find } for service=package scontext=u:r:su:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager
  avc: granted { find } for service=user scontext=u:r:su:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager
  avc: granted { find } for service=window scontext=u:r:su:s0 tcontext=u:object_r:window_service:s0 tclass=service_manager

Change-Id: Ie58ad3347e9ef1aacd39670cfec7d095875e237b

Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb

The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9

Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.

  <6>[   64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
  <6>[   64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1

Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7

Somehow net_domain(su) showed up twice in internal master.
Delete the duplicate line.

Change-Id: I15c102850946c30c2322d6d4edcf59407d430531

Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.

Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

Conflicts:
	debuggerd.te

init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6

Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245