<5>[  216.710405] type=1400 audit(1392934645.702:17): avc:  denied  { use } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fd

<5>[  216.710553] type=1400 audit(1392934645.702:18): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket

<5>[  216.710727] type=1400 audit(1392934645.702:19): avc:  denied  { read } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.710872] type=1400 audit(1392934645.702:20): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[8214]" dev="sockfs" ino=8214 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket

<5>[  216.711037] type=1400 audit(1392934645.702:21): avc:  denied  { write } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.711208] type=1400 audit(1392934645.702:22): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9370]" dev="sockfs" ino=9370 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket

<5>[  216.711334] type=1400 audit(1392934645.702:23): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9372]" dev="sockfs" ino=9372 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_nflog_socket

<5>[  216.711513] type=1400 audit(1392934645.702:24): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[11078]" dev="sockfs" ino=11078 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=udp_socket

<5>[  216.713390] type=1400 audit(1392934645.702:25): avc:  denied  { dac_override } for  pid=2273 comm="clatd" capability=1 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[  216.713528] type=1400 audit(1392934645.702:26): avc:  denied  { read write } for  pid=2273 comm="clatd" name="tun" dev="tmpfs" ino=6127 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[  314.513898] type=1400 audit(1392934743.501:42): avc:  denied  { setopt } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.514482] type=1400 audit(1392934743.501:43): avc:  denied  { getattr } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.515196] type=1400 audit(1392934743.501:44): avc:  denied  { write } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.516077] type=1400 audit(1392934743.501:45): avc:  denied  { connect } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[ 22.257024] type=1400 audit(1393016186.443:12): avc: denied { open } for pid=1934 comm="clatd" name="tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.257274] type=1400 audit(1393016186.443:13): avc: denied { net_admin } for pid=1934 comm="clatd" capability=12 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257445] type=1400 audit(1393016186.443:14): avc: denied { write } for pid=1934 comm="clatd" name="forwarding" dev="proc" ino=10684 scontext=u:r:clatd:s0 tcontext=u:object_r:proc_net:s0 tclass=file

<5>[ 22.257618] type=1400 audit(1393016186.443:15): avc: denied { setgid } for pid=1934 comm="clatd" capability=6 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257753] type=1400 audit(1393016186.443:16): avc: denied { setuid } for pid=1934 comm="clatd" capability=7 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.385005] type=1400 audit(1393016186.573:17): avc: denied { ioctl } for pid=1934 comm="clatd" path="/dev/tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.385269] type=1400 audit(1393016186.573:18): avc: denied { create } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=tun_socket

<5>[ 22.388955] type=1400 audit(1393016186.573:19): avc: denied { nlmsg_write } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

Change-Id: Ic760597df1aa4b33b3cb6e9a504dbcbd6f5d0116
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Per https://android-review.googlesource.com/82814 , uncrypt
needs to be able to read shell_data_files on userdebug / eng
builds. Allow it.

Bug: 13083922
Change-Id: I72299673bb5e36be79413227105b5cad006d504f

Change-Id: If4de8d3515727c0b2f95c88c1125410d9894a9ba
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.

Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.

Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.

Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379

Addresses the following denial / error:

E/lowmemorykiller(  187): Error writing /proc/1148/oom_adj; errno=13

[  118.264668] type=1400 audit(947231128.209:140): avc:  denied { sys_resource } for  pid=187 comm="lmkd" capability=24 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Change-Id: Ief2a7ead9cdd8a33e3add111ee99f7a29c12a3f2

Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/data/data subdirectories are labeled by installd at creation time
based on seapp_contexts, not based on file_contexts, so we do not
need the /data/data/.* entry, and the wallpaper file was moved from
under com.android.settings/files to /data/system/users/N long ago so we can
delete the old entry for it.

Change-Id: I32af6813ff284e8fe9fd4867df482a642c728755
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

Should resolve b/13060688 - emulator writes to /storage/sdcard failing.

Change-Id: I9f00d9dfcd1c4f84c2320628257beca71abf170b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I4cd33a296de0d0597aa6166aa1be48f1b0b52129

dhcpcd opens a raw ip socket in ipv6rs_open() to use ICMPv6.  This
facility should be available for all devices which have a need to
use it.

Addresses the following denials:
<5>[   42.699877] type=1400 audit(1392332560.306:8): avc:  denied  { create } for  pid=983 comm="dhcpcd" scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[   42.699993] type=1400 audit(1392332560.306:9): avc:  denied  { setopt } for  pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[   42.732208] type=1400 audit(1392332560.338:10): avc:  denied  { write } for  pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket

Bug: 12473306
Change-Id: Iee57a0cb4c2d2085a24d4b5fb23a5488f0fd3e03

Start enforcing SELinux rules for lmkd. Security policy
violations will return an error instead of being allowed.

Change-Id: I2bad2c2094d93ebbcb8ccc4b7f3369419004a3f0

* Allow writes to /proc/PID/oom_score_adj
* Allow writes to /sys/module/lowmemorykiller/*

Addresses the following denials:
<5>[    3.825371] type=1400 audit(9781555.430:5): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[   48.874747] type=1400 audit(9781600.639:16): avc:  denied  { search } for  pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[   48.874889] type=1400 audit(9781600.639:17): avc:  denied  { dac_override } for  pid=176 comm="lmkd" capability=1  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability
<5>[   48.874982] type=1400 audit(9781600.639:18): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   48.875075] type=1400 audit(9781600.639:19): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   49.409231] type=1400 audit(9781601.169:20): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  209.081990] type=1400 audit(9781760.839:24): avc:  denied  { search } for  pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir
<5>[  209.082240] type=1400 audit(9781760.839:25): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.082498] type=1400 audit(9781760.839:26): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.119673] type=1400 audit(9781760.879:27): avc:  denied  { search } for  pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir
<5>[  209.119937] type=1400 audit(9781760.879:28): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.120105] type=1400 audit(9781760.879:29): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.235597] type=1400 audit(9781760.999:30): avc:  denied  { search } for  pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  209.235798] type=1400 audit(9781760.999:31): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  209.236006] type=1400 audit(9781760.999:32): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.297283] type=1400 audit(9781766.059:64): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.297415] type=1400 audit(9781766.059:65): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.355060] type=1400 audit(9781766.119:66): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.355236] type=1400 audit(9781766.119:67): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.516920] type=1400 audit(9781766.279:68): avc:  denied  { search } for  pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir
<5>[  214.678861] type=1400 audit(9781766.439:69): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.678992] type=1400 audit(9781766.439:70): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.708284] type=1400 audit(9781766.469:71): avc:  denied  { search } for  pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  214.708435] type=1400 audit(9781766.469:72): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.708648] type=1400 audit(9781766.469:73): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file

Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4

Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change I9e35cc93abf89ce3594860aa3193f84a3b42ea6e changed the type
on /data/misc/wifi/sockets to wpa_socket and change
I51b09c5e40946673a38732ea9f601b2d047d3b62 fixed the type on existing
devices.  Consequently hostapd now needs access to wpa_socket dir
and sock_file.

Change-Id: I58f552b3cd55821f57e6ef33ebe6bb8587e7b3fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  clatd does exist in AOSP
and is built by default, and is started via netd.

Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I096025c1820f0b51f1abdf249c744cba387e0a65
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add allow rules from our policy.

Change-Id: Id480eb7c8cd4e5544a1ec46cb39a55abc653ddb9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>