* commit 'a984a9bf':
  file_contexts: Change file_contexts to file_contexts.bin

* commit '05056457':
  adb: add adbd -> shell signal permissions.

Change-Id: I0c17b4e36a14afd24763343c09eaca650ea4cefd

adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.

Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4

* commit 'c3712143':
  Allow system_server to bind ping sockets.

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687
Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

* commit 'b55f10e9':
  Fix perfprofd denial (simpleperf debugfs read).

Bug: http://b/23814810
Change-Id: I731bd70ec982e47b86befb32a9edcb71570e9d64

* commit '59c4aa75':
  auditallow gpu_device execute access

* commit '0243e5cf':
  system_server.te: remove policy load permissions

Remove system server's permission to dynamically update SELinux
policy on the device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: I3c64d64359060561102e1587531836b69cfeef00

* commit '008d7f14':
  Drop the default stanza from mac_permissions.xml

This permission appears to be unnecessary on some (most?) devices such
as the Nexus 5. It should be moved to the device policy if it's truly
required by the driver.

Change-Id: I531dc82ba9030b805db2b596e145be2afb324492

All non matching apps will simply receive the seinfo
label of "default" implicitly. No need to further
clarify things anymore with an explicit default stanza.

Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

* commit '2cc94205':
  install_recovery: drop toolbox auditallow

Toolbox is definitely used from install_recovery. Addresses
the following denials:

  type=1400 audit(0.0:7): avc: granted { execute } for comm="install-recover" name="toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:6): avc: granted { getattr } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:13): avc: granted { read } for comm="log" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:9): avc: granted { read open } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: I51d6e474f34afe1f33ea8294a344aa71e41deead

* commit '72388335':
  sepolicy: Apply dhcpcd sepolicy to dhcpcd-6.8.2

Apply the same sepolicy used on dhcpcd to dhcpcd-6.8.2,
which is have it run with the dhcp context, and have its
data files possess the dhcp_data_file context.

BUG: 22956197
Change-Id: I7915b694038bb309d93691ef5d4d293593ef3b5e

* commit '7af012fc':
  Only allow toolbox exec where /system exec was already allowed.

* commit 'e5c7321e':
  file_contexts: label zram devices

* commit 'aa0d8fef':
  dontaudit su servicemanager:service_manager list

Addresses the following denial:

  avc:  denied  { list } for service=NULL scontext=u:r:su:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Change-Id: I70449b93307378481c986a60ca593eb2fc2de2c5

Since ram devices are labeled in base contexts, also add a label
for devices using zram.

Change-Id: I002baebf40246e78c6f9fb367ac6fb019101cc86
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '4abd409a':
  Relax neverallow rule for loading an updated SELinux policy.

* commit '6d0e9c8f':
  init.te: delete kernel load policy support

Revert the neverallow change portion of
356df327, in case others need to
do dynamic policy updates.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8

* commit '48d98e35':
  system_server: remove old dalvik JIT rules on user/userdebug builds

* commit 'be98d9cf':
  Add /data/local/tmp neverallow rules

On user and userdebug builds, system_server only loads executable
content from /data/dalvik_cache and /system. JITing for system_server
is only supported on eng builds. Remove the rules for user and
userdebug builds.

Going forward, the plan of record is that system_server will never
use JIT functionality, instead using dex2oat or interpreted mode.

Inspired by https://android-review.googlesource.com/98944

Change-Id: I54515acaae4792085869b89f0d21b87c66137510

Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:

  https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8

Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe

* commit 'acfd140c':
  eliminate some anr_data_file permissions.

* commit 'f4d39ca1':
  allow domain adbd:unix_stream_socket ioctl;

https://android-review.googlesource.com/166419 changed the handling
of non-interactive adb shells to use a socket instead of a PTY.
When the stdin/stdout/stderr socket is received by /system/bin/sh,
the code runs isatty() (ioctl TCGETS) to determine how to handle the
file descriptor. This is denied by SELinux.

Allow it for all domains.

Addresses the following denial:

  avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

TODO: When kernels are publicly available which support SELinux ioctl
filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls.

Bug: 21215503
Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898