am: 0b7506ff

Change-Id: I8093d316ef2f0e5839073b88351bca4eace75b7b

Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.

Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a

am: 11dc03e5

Change-Id: Ie2c7f871c47d378cc3b8399e174b229439511452

Description stolen from
https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec

am: f25e5550

Change-Id: I267d30094daf909158f720fa8e7c501e13a5ccc3

|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.

Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74

am: 5eadcb8c

Change-Id: I79ed60bfb69e16c0e55ff84583e0930a7adf7cb8

am: f2de0752

Change-Id: I198f91d03eb87d3fc707b67d50a9a363d94e066a

urandom_device and random_device have the exact same security
properties. Collapse them into one type.

Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41

auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!

Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
      permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f

am: dc083f59

Change-Id: I38a2613d04dc0e59dc9e76dff39ab5ae9a024ae4

The other domains either don't have the same backwards compatibility
issues (isolated_app) or are privileged components that are pretty much
part of the platform and can be expected to meet a higher standard.

It would be possible to expose a build option for disabling the ART JIT,
allowing conditional removal of execmem from some of these domains too
(ones not ever using the WebView, until that's always in isolated_app).

Bug: 20013628
Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5

am: 1eb00fb6

Change-Id: Iacfd0778591ebcc34f72c82d4ea4fcc3f7777ce7

am: 3319d5ee

Change-Id: I6cd85d7fb4235cb2adb4eb0f598959cec52108d0

When WITH_DEXPREOPT is set, the zygote does not need to execute
dalvikcache_data_file objects.

Bug: 32970029
Test: Add policy line inside macro, build with and without WITH_DEXPREOPT.
Test: HiKey builds, boots, no zygote denials.
Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb

HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented.  This policy should be represented as an attribute that all
processes implementing the HAL can include.

Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15

am: b44d2c9b

Change-Id: Ia43d948ce7b31336d90f188b6fb2578832be1fee

This reverts commit 1f329465.

Bug: 32973182
Change-Id: Ic0277b38b0249710a4f1fc362e777f3880ff096b

am: 590d0e24

Change-Id: I79e775df50badaf511d6fedc1cca60e39048b5dc

Test: Device boots
Change-Id: I151c5fb6f56850eaa215e1a917ac9ad609dbdd4a

am: e1df5103

Change-Id: I796889ba9eea3c4496ac581d5da2d383b08465ab

am: c9630dc6

Change-Id: I81c7f5b62ad2b057a586148ff6ce4cc7654be98a

external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.

The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.

This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.

References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a

TODO: Further unify /dev/kmsg permissions with syslog_read permissions.

Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f

Grant boot_control_hal permissions to the hal_boot service;
update_engine and update_verifier can call that service rather
than using those permissions themselves.

Bug: 31864052
Test: `bootctl set-active-boot-slot 1`
Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69

am: 747c69f4

Change-Id: I780f075beb031516bd4c2ce292c1fd1a2beaa5ac

am: c121735f

Change-Id: I3db269a6629b4f246939acc139e99d274ddd6b81

su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.

Addresses the following auditallow spam:

  avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
  ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
  tcontext=u:object_r:ion_device:s0 tclass=chr_file

Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16

Allow isolated apps to read/write/append/lock already open sdcard
file descriptors passed to it by normal app processes. isolated_apps are
used by processes like Google drive when handling untrusted content.

Addresses the following denial:

  audit(0.0:1508): avc: denied { read } for
  path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310
  scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0
  tclass=file permissive=0

This partially reverts the tightening added in
ce4b5eea.

Add a TODO to consider removing isolated_apps ability to write or append
to files on the sdcard. This limits the damage that can occur should the
isolated_app process be compromised.

Bug: 32896414
Test: Policy compiles. Rule add only, so no possibility of breakage.
Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f

am: 4c7044e0

Change-Id: Ifd25505c9c2f679b5ace565f9b26e681c54572e6

Bug: 29970149
Test: None
Change-Id: I59f49f3bf20d93effde5e1a9a3c1ed64fbecb7a8

am: 41301ab7

Change-Id: Ibf5f1cc6fdd65d35300afaaf73daa963e18baed1

am: 35324445

Change-Id: I204db093f2bc787e6a1a137b9dd4e7b998b1f617