Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There are continued complaints about not being able to generate
bug reports and surfaceflinger crashes. Move surfaceflinger
out of enforcing until I can resolve this.

Here are some denials I'm seeing. I'm not sure what binder service is
running in the shell domain... Need to do more digging.

nnk@nnk:~/Downloads$ grep "avc: " screenshot_runtime_restart.txt  | grep surfaceflinger
<5>[    5.182699] type=1400 audit(1389111729.860:9): avc:  denied  { search } for  pid=186 comm="surfaceflinger" name="tmp" dev="mmcblk0p28" ino=627090 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[  744.988702] type=1400 audit(1389112469.578:188): avc:  denied  { call } for  pid=596 comm="Binder_3" scontext=u:r:surfaceflinger:s0 tcontext=u:r:shell:s0 tclass=binder

This reverts commit a11c56e1.

Bug: 12416329
Change-Id: I7b72608c760c4087f73047ad751a5bd069fa2ec7

Causing adbd to run at 100% cpu utilization when the following
sequence of commands are run:

1) Run the command "adb shell ping -c 1 -w 5 www.google.com" for 5 times
2) Run "adb shell top -m 5"

The following denial occurs:

<5>[   20.647559] type=1400 audit(1389054327.861:21): avc:  denied  { sigchld } for  pid=1989 comm="adbd" scontext=u:r:ping:s0 tcontext=u:r:adbd:s0 tclass=process

Reverting for now.

This reverts commit 1b556c32.

Bug: 12251052
Change-Id: I1b9920624f49b0aed2226c41a45005aff228d9e8

Too many bugs.

This reverts commit cc964543.

When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.

Addresses the following denials:

<5> type=1400 audit(1389047451.385:23): avc:  denied  { call } for  pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc:  denied  { write } for  pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

Allow the bugreport service to create files in
/data/data/com.android.shell/files/bugreports/bugreport .

Addresses the following denials:

<5>[31778.629368] type=1400 audit(1388876199.162:230): avc:  denied  { write } for  pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629493] type=1400 audit(1388876199.162:231): avc:  denied  { add_name } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629622] type=1400 audit(1388876199.162:232): avc:  denied  { create } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629779] type=1400 audit(1388876199.162:233): avc:  denied  { write open } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629977] type=1400 audit(1388876199.162:234): avc:  denied  { getattr } for  pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50

Resolves the following denials seen during an adb backup and restore
sequence.

<5>[   90.247039] type=1400 audit(1388759567.693:16): avc:  denied  { getopt } for  pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket
<5>[   90.249176] type=1400 audit(1388759567.703:17): avc:  denied  { getopt } for  pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket

Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC.  We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc:  denied  { execute } for  pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Will likely want to split into adbd_user.te vs adbd.te before
going enforcing to support adb root and adb remount on non-user builds.
Possibly take all common rules to an adbdcommon.te.

Change-Id: I63040c7f5f0fca10b3df682572c51c05e74738a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I11b185ff539915174bd2da53bfaa2cad87173008
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This showed up at some point in the past during our own
internal CTS testing but it seems wrong based on the DAC
permissions and a potential way to inject code into apps
from the shell.  Drop it for now and see if it shows up again.
This predates userdebug/eng vs user shell split so possibly
it only happens in the userdebug/eng case.

Change-Id: If8b1e7817f8efecbf68a0ba5fd06328a23a6c6db
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the shell user to set debug.* properties.
This allows systrace to work on Android.

Allow the shell user to set sys.powerctl, to allow reboots
to work.

Addresses the following denials:

<4>[ 2141.449722] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.450820] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.506703] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.507591] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service

Bug: 12231073
Change-Id: Iaba1db06ba287c7d5d10ce287833c57238e03bb6

Allow adb shell to run dumpsys.

Addresses the following denials:

23.720402   type=1400 audit(1387473582.512:12): avc:  denied  { read write } for  pid=1469 comm="dumpsys" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
23.862719   type=1400 audit(1387473582.652:13): avc:  denied  { getattr } for  pid=696 comm="Binder_3" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

Change-Id: I6c56f9267d769d579514dca3cfde8d5a99170456

When encrypting a device, vold tries to acquire a wake lock,
to prevent the device from sleeping. Add an allow rule.

After booting with a freshly encrypted device, fsck logs data to
/dev/fscklogs/log . Add an allow rule.

Addresses the following denials.

wake lock:

<5>[  372.401015] type=1400 audit(1387488823.195:6): avc:  denied  { read write } for  pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
<5>[  127.274556] type=1400 audit(1387494536.080:8): avc:  denied  { open } for  pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

fsck logging:

<5>[   44.759122] type=1400 audit(1387489522.460:6): avc:  denied  { search } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.559964] type=1400 audit(1387495221.265:6): avc:  denied  { write } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560081] type=1400 audit(1387495221.265:7): avc:  denied  { add_name } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560244] type=1400 audit(1387495221.265:8): avc:  denied  { create } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.560383] type=1400 audit(1387495221.265:9): avc:  denied  { write open } for  pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.582520] type=1400 audit(1387495221.285:10): avc:  denied  { getattr } for  pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file

Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5

I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.

Addresses the following denial:

14.711671   type=1400 audit(1387474628.570:6): avc:  denied  { block_suspend } for  pid=533 comm="InputReader" capability=36  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2

Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47

Change-Id: I1eba1535d650a09ee7640cb7f3664202be4a0a55
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

bluetooth, nfc, radio and shell are not explicitly declared
in installd.te. This prevents applications in those group
from upgrading by "adb install -r".

You can reproduce the issue by following step:
 1. adb pull /system/priv-app/Shell.apk
 2. adb install -r Shell.apk
 3. install failed with the error log blow

[Error in logcat]
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/com.android.shell-1': Permission denied
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/Shell': Permission denied

[Error in dmesg]
<5>[  112.053301] type=1400 audit(1387412796.071:10): avc:  denied  { create } for  pid=337 comm="installd" name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=lnk_file

This operation fails only if the app belongs to any of the
groups specified in the commit title.

Change-Id: I7572df9fb6e471fad34f61137f0eeeda4c82659d

Addreseses the following denials:

<5>[  695.383994] type=1400 audit(1387403898.292:55): avc:  denied  { execute } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.384727] type=1400 audit(1387403898.292:56): avc:  denied  { read open } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.385418] type=1400 audit(1387403898.292:57): avc:  denied  { execute_no_trans } for  pid=5187 comm="dumpstate" path="/system/bin/ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.391978] type=1400 audit(1387403898.302:58): avc:  denied  { create } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393193] type=1400 audit(1387403898.302:59): avc:  denied  { setopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393753] type=1400 audit(1387403898.302:60): avc:  denied  { getopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.394886] type=1400 audit(1387403898.302:61): avc:  denied  { write } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.400693] type=1400 audit(1387403898.312:62): avc:  denied  { read } for  pid=5187 comm="ping" lport=4 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket

Change-Id: If9a790725ec0ba1ca6cb5c9a8ed85288580940e8

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>