allow reading symlinks in /data and getattr in /system

Change-Id: I8cc9ca056725cf10ebfeef474ebf9c80c5300a73

Let's see if it's safe to get rid of them.

Bug: 25768265
Bug: 25767747
Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96

This allow bspatch to have same perssion as update_engine.

Also added a rule to allow update_engine to execute bspatch.

Bug: 24478450
Test: No more permission deny during delta update.

Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4

Addresses the following denial:

  avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Bug: 25801240
Change-Id: I043f48f410505acaee4bb97446945316f656a210

libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
   allow domain selinuxfs:filesystem getattr;

domain is already granted:
   allow domain self:dir r_dir_perms;
   allow domain self:lnk_file r_file_perms;
   allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
   allow domain proc:dir search;

Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259

All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f

Don't mix bluetooth rules with bluetoothdomain. The bluetoothdomain
rules are used by several other SELinux domains, not just bluetooth,
and keeping them in the same file is confusing.

Change-Id: I487251ab1c1392467a39c7a87328cdaf802fc1f8

avc:  denied  { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager

Bug: 25734577
Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

f063f461 marked several zygote.te
rules as "deprecated in M". Now that M is out the door, delete
the obsolete rules.

Change-Id: I7ff8abe8659bbcf7aa0b5c612ce3822a238df8ca

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

Move to domain_deprecated

Bug: 25433265
Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3

979adffd added an auditallow
to see if system_server was relabeling system_data_file.
The auditallow rule hasn't triggered, so remove the allow rule.

a3c97a76 added an auditallow
to see if system_server was executing toolbox. The auditallow
rule hasn't triggered, so remove the allow rule. AFAIK,
system_server never executes ANY file, so further tightening here
is feasible.

Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

am: 000b6949

* commit '000b6949':
  Enable permission checking by binderservicedomain.

binderservicedomain services often expose their methods to untrusted
clients and rely on permission checks for access control.  Allow these
services to query the permission service for access decisions.

(cherry-pick of commit: 32d207e0)

Bug: 25282923
Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b

am: 6fc134e3

* commit '6fc134e3':
  audit mtp sync permission

am: e9d261ff

* commit 'e9d261ff':
  Create a new SELinux type for /data/nativetest

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

Determine if the following rule can be removed:

allow kernel untrusted_app:fd use

Bug: 25331459
Change-Id: I4ef9f376d7fc1d2bdfba69b2fb3e24d49ac136ad

am: 89424bf9

* commit '89424bf9':
  Update text relocation neverallow assertions

1) Don't allow any SELinux domain to attempt to perform a text
relocation on a file from the /system partition. It's not supported
and should never be attempted.

2) Completely block any non-app SELinux domains from using text
relocations, regardless of the source.

Bug: 20013628
Change-Id: I82573398d0d5586264a717a1e400a3dbc7793fe3

am: 59019fd7

* commit '59019fd7':
  Define the i2C device policy

Change-Id: I93d9cfea2f2148bb042d1cb8af3649524ad31034
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>

am: 9ba8ade5

* commit '9ba8ade5':
  Fix MTP sync

Address the following denial:
avc: denied { use } for path="/storage/emulated/0/305512.pdf" dev="fuse"
ino=239 scontext=u:r:kernel:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=fd
permissive=0

Bug: 25068662
Change-Id: Ic29d9569ff387dfd411363db751c3642572c8e85

am: 7b8f9f15

* commit '7b8f9f15':
  audit untrusted_app access to mtp_device

am: 0fc831c3

* commit '0fc831c3':
  Temporarily downgrade to policy version number

android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.

Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4

* commit '1b52ad6b':
  grant priv_app access to /dev/mtp_usb

android.process.media needs access to mtp_usb when MTP is enabled.

Bug: 25074672
Change-Id: Ic48a3ba8e4395104b0b957f7a9bad69f0e5ee38e

* commit 'a910a287':
  Remove untrusted_app access to tmp apk files

Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251