Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device.  Drop it.

Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address denials such as:
 avc:  denied  { read } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { open } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { getattr } for  path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { read } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { open } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address recent installd denials resulting from the recent
tightening of installd access to /data file types, including:
 avc:  denied  { unlink } for  name="._playmusicid" dev="mmcblk0p30" ino=1038393 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc:  denied  { search } for  pid=195 comm="installd" name="app-asec" dev="mmcblk0p28" ino=578225 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=dir

Change-Id: I957738139678699949da9ad09d3bddb91605f8cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.

Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd

Change-Id: If6b85fbb2332f7a03b603f2d46bd2f73c778ecf9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { read write } for  path="socket:[33571]" dev="sockfs" ino=33571 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=unix_dgram_socket

Change-Id: Icb1ee00d8513179039bfb738647f49480e836f25
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { getattr } for  path="pipe:[167684]" dev="pipefs" ino=167684 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I1120c8b130a592e40992c5233650345640a23a87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rules on data_file_type attribute and replace with rules
on specific types under /data.

Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I didn't fix unpublished denials before switching this into enforcing. Need to revert.

This reverts commit ae505511.

Bug: 14844424
Change-Id: I01408b77a67ad43a8fb20be213d3ffbace658616

Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.

This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/

At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.

Change-Id: If335a5cf619125806c700780fcf91f8602083824

Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.

Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

installd creates /data/.layout_version.  Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes.  This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.

Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I29202292a78f0d2ae3b5da235c1783298f14bed8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4b4ebda74a9ebf08f38d73521d67bf98cd0ee67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4cbaee280628845d026e827d7e16f347594fc26
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rules on data_file_type attribute and replace with
rules on specific types, coalescing with existing rules
where appropriate.  Reorganize the rules and try to
annotate the reason for the different rules.

Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

91a4f8d4 created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.

Allow installd to create this symlink.

  repro:
  adb install AppLaunch.apk
  276 KB/s (8414 bytes in 0.029s)
         pkg: /data/local/tmp/AppLaunch.apk
  Failure [INSTALL_FAILED_INTERNAL_ERROR]

  logcat:
  05-08 23:16:36.336   605   637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
  05-08 23:16:36.338   605   637 W asset   : Installing empty resources in to table 0x5e89a368
  05-08 23:16:36.359   193   193 W installd: type=1400 audit(0.0:29): avc:  denied  { create } for  name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
  05-08 23:16:36.363   193   193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
  05-08 23:16:36.364   605   637 W PackageManager: Failed linking native library dir (user=0)
  05-08 23:16:36.364   605   637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk

Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3

Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf

As per the discussion in:
https://android-review.googlesource.com/#/c/92903/



Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.

Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.

unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.

Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ADF is a modern replacement for fbdev.

ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes.  Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.

Ordinary apps should not talk to ADF directly.

Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>

Not sure what denial originally motivated adding this
access, but drop it and see if it resurfaces.  platform_app
is still permissive_or_unconfined() so this should not break
anything.

Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

See if we can remove these allow rules by auditing any granting
of these permissions.  These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.

Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it is treated as a regex and matches any character.

Change-Id: I9e23f01b0e104d3ef57993fd1a3d9a5b13201910
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 3fbc536d allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.

Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send

EXPECTED RESULTS:
No crash

OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state

Additional details:
  05-05 10:14:01.196  2457  2457 W Binder_3: type=1400 audit(0.0:20): avc:  denied  { write } for  path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
  05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
  05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
  05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at android.content.ContentUris.parseId(ContentUris.java:85)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.222   659  5253 W ActivityManager:   Force finishing activity com.android.mms/.ui.ComposeMessageActivity

Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9