Change-Id: I55d059cf6b9e13a81545d3d8b8ff86befc89d6b3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Leave the domain permissive initially until it gets more testing.

Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denials:

<5>[  170.166218] type=1400 audit(1386789488.029:57): avc:  denied  { getattr } for  pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166356] type=1400 audit(1386789488.029:58): avc:  denied  { execute } for  pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166841] type=1400 audit(1386789488.029:59): avc:  denied  { read open } for  pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166962] type=1400 audit(1386789488.029:60): avc:  denied  { execute_no_trans } for  pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file

Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5

Settings > Developer Options > Profile GPU Rendering was broken,
as it couldn't set a debug.* system property.

In addition, system_app wasn't allowed to access init's property_service socket.

Both fixed.

In addition, allow system_app to write to radio_prop.

Fixes the following denials:

<5>[  170.769658] type=1400 audit(1386722177.029:57): avc:  denied  { write } for  pid=4142 comm="ndroid.settings" name="property_service" dev="tmpfs" ino=7457 scontext=u:r:system_app:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
<4>[  170.770064] avc:  denied  { set } for property=debug.hwui.overdraw scontext=u:r:system_app:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<3>[  170.770148] init: sys_prop: permission denied uid:1000  name:debug.hwui.overdraw

Bug: 12037026
Change-Id: I5e879ab339e68e9e4715266fc8a698ab6ad5756e

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I4b3dda1d08e8bfc523493f4b8d79a4cc3e7e7787
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.

  STEPS TO REPRODUCE:
  1. Launch Chrome
  2. From menu tap print and observe
        OR
  1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
  2. Select print

Addresses the following denials:

<5>[  122.352797] type=1400 audit(1386363998.374:18): avc:  denied  { write } for  pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248363] type=1400 audit(1386363999.264:19): avc:  denied  { getattr } for  pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248620] type=1400 audit(1386363999.264:20): avc:  denied  { write } for  pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file

Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c

* commit 'fea6e66f':
  Allow kernel domain, not init domain, to set SELinux enforcing mode.

As per the discussion in:
https://android-review.googlesource.com/#/c/71184/



init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '9e8b8d9f':
  Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."

The build is broken. Reverting temporarily to fix breakage.

libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....


This reverts commit bf12e225.

Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85

* commit 'bf12e225':
  Allow kernel domain, not init domain, to set SELinux enforcing mode.

As per the discussion in:
https://android-review.googlesource.com/#/c/71184/



init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '2b392fcc':
  Move lmkd into it's own domain.

* commit '7adb999e':
  Restrict the ability to set usermodehelpers and proc security settings.

lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd.  ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10

Change-Id: Ib43bc4027e74660f653ec90335741acc792739da
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: If5b7206192cf93d9989b734304db0374429c04d5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Denials seen on hammerhead but seem
appropriate for general policy.

<5>[ 8.339347] type=1400 audit(3731546.390:17): avc: denied { ioctl } for pid=314 comm="rild" path="socket:[7996]" dev="sockfs" ino=7996 scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 8.339065] type=1400 audit(3731546.390:16): avc: denied { create } for pid=314 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 11.232121] type=1400 audit(3731549.289:22): avc: denied { read } for pid=620 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket

Change-Id: Ieaca5360afbb44d5da21c7c24bdd5e7c5758f0a2

This label was originally used for Motorola
Xoom devices. nvmap is the tegra gpu memory
manager and the various nvhost drivers are
for tegra graphics related functionality,
i.e. display serial interface, image signal
processor, or media processing stuff.

Only grouper and tilapia presently need this
policy.

Change-Id: I2a7000f69abf3185724d88d428e8237e0ca436ec

Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I10006f43c142f07168e2ea0f4f5f7af68d03e504
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise sockets that have no specific entry match the /dev(/.*) entry
instead, leaving them in device type rather than socket_device type.
Every socket should get its own entry regardless, but this at least puts
it into a more specific type by default.

Change-Id: I97f7999af7f9f83484d3a51440dda791d3726f1a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I11be7d1713dd7cb35b8046503a09e42567e53d86
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d

* commit '043b9027':
  Confine watchdogd, but leave it permissive for now.