postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5

Change-Id: Idc9552d2130750d82318d57e7c55fd280d687063
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Prevent direct opens into the system_app sandbox.

Change-Id: I04c22076939a9a09a6c861ae73da839c879c4ba7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa66.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb

Do not allow other domains to create or unlink files under
the system app sandbox.

Change-Id: I7c3037210c6849c3b0fc205fa71fa5ed4dcac1c2
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5
Signed-off-by: William Roberts <william.c.roberts@intel.com>

update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49

Bug: 27965066
Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a

Some of the init allow rules were well passed 100 characters and
were difficult to read. Format them to use the one-per-line
set subtraction format as seen in other locations within sepolicy.

Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Postinstall testing requires to mount a filesystem and relabel its
files to postinstall_file. While this task will normally be performed
by the update_engine daemon running in a domain of the same name, we
also test this workflow with sample images from /data/nativetest in
eng builds.

This hides the log messages from the 'su' context when mounting and
relabeling a filesystem onto the postinstall mountpoint.

Bug: 27272144
Bug: 26955860
TEST=m; update_engine_unittests pass Postinstall tests.

Change-Id: Id39aa1afdc11a6f59434873e68a53cbcb6ae363f

The auditallow for install_recovery accessing cache_recovery_files
hasn't triggered, so drop the rules as they don't appear to be
used.

Change-Id: I74bb152b6c829612594c647674907e16783fa477

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479

To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1

Bug: 27176738
Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf

03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304
Change-Id: I249fe2a46401b660efaa3f1102924a448ed750d5

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac

See https://groups.google.com/d/msg/android-ndk/BbEOA9pnR-I/HgLkGy5qAgAJ

Addresses the following denial:

  avc: denied { lock } for path="/data/data/com.mypackage/files/somefilename" dev="mmcblk0p28" ino=114736 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

While I'm here, also add lock to w_file_perms.

(cherrypicked from commit 4ee494cc)

Change-Id: I2568a228099c4e112e4a8b80da3bfcf2e35eb0ea

Block other operations which involve non-file descriptor
operations.

Change-Id: I5d813781c201a732aa1ee6ff6fd3d82f2af32ec7

BUG: 27419521
Change-Id: I63108468d75be3ef7f9761107a3df8997f207d07

This policy takes effect only when building with
SANITIZE_TARGET=address and allows the Zygote to load libraries from
/data. That's where ASan-instrumented copies of system libraries are
located. 32-bit library directories have been added a while back;
this CL extends the same policy to 64-bit directories.

Bug: 25751174

Change-Id: Ieb4701b78db9649ec8563f2962a69db537ae61b3

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

Bug: 27442760
Change-Id: I5c0f9d7992ff2ec64adaeef22356e88fd0e8169c

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8af)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely.  Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.

Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be

Bug: http://b/27367422
Change-Id: I936c16281e06214b35f8d245da8f619dc92ff15f

Bug: 26813932
Change-Id: I155087d28d9284d8c96554cc6739bb676272a00f

am: edd86a63

* commit 'edd86a63':
  New postinstall domain and rules to run post-install program.

am: 01d95c23

* commit '01d95c23':
  Update netlink socket classes.

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>