Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.

This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/

At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.

Change-Id: If335a5cf619125806c700780fcf91f8602083824

Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.

Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I29202292a78f0d2ae3b5da235c1783298f14bed8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4b4ebda74a9ebf08f38d73521d67bf98cd0ee67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4cbaee280628845d026e827d7e16f347594fc26
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rules on data_file_type attribute and replace with
rules on specific types, coalescing with existing rules
where appropriate.  Reorganize the rules and try to
annotate the reason for the different rules.

Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

91a4f8d4 created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.

Allow installd to create this symlink.

  repro:
  adb install AppLaunch.apk
  276 KB/s (8414 bytes in 0.029s)
         pkg: /data/local/tmp/AppLaunch.apk
  Failure [INSTALL_FAILED_INTERNAL_ERROR]

  logcat:
  05-08 23:16:36.336   605   637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
  05-08 23:16:36.338   605   637 W asset   : Installing empty resources in to table 0x5e89a368
  05-08 23:16:36.359   193   193 W installd: type=1400 audit(0.0:29): avc:  denied  { create } for  name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
  05-08 23:16:36.363   193   193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
  05-08 23:16:36.364   605   637 W PackageManager: Failed linking native library dir (user=0)
  05-08 23:16:36.364   605   637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk

Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3

Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf

As per the discussion in:
https://android-review.googlesource.com/#/c/92903/



Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.

Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.

unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.

Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ADF is a modern replacement for fbdev.

ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes.  Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.

Ordinary apps should not talk to ADF directly.

Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>

Not sure what denial originally motivated adding this
access, but drop it and see if it resurfaces.  platform_app
is still permissive_or_unconfined() so this should not break
anything.

Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

See if we can remove these allow rules by auditing any granting
of these permissions.  These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.

Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it is treated as a regex and matches any character.

Change-Id: I9e23f01b0e104d3ef57993fd1a3d9a5b13201910
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 3fbc536d allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.

Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send

EXPECTED RESULTS:
No crash

OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state

Additional details:
  05-05 10:14:01.196  2457  2457 W Binder_3: type=1400 audit(0.0:20): avc:  denied  { write } for  path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
  05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
  05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
  05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at android.content.ContentUris.parseId(ContentUris.java:85)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.222   659  5253 W ActivityManager:   Force finishing activity com.android.mms/.ui.ComposeMessageActivity

Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9

specifycapabilities is no longer specified by the zygote userspace manager.
It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8.  Remove
this permission from policy.

Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985

Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811

Need this for changing max_cpufreq for the low power mode.

Denials:
type=1400 audit(1398818907.151:48): avc:  denied  { relabelfrom } for
pid=129 comm="ueventd" name="scaling_max_freq" dev="sysfs" ino=19866
scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

type=1400 audit(118521.050:11): avc:  denied  { setattr } for  pid=130
comm="ueventd" name="scaling_min_freq" dev="sysfs" ino=9178
scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file

Change required for Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233

Change-Id: I93feee65b1535ac048acf3bc7fba9f5d1bdb2bd2
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Change-Id: I4811da972f7e23ef86e04d05400169422fbaca35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.

These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.

The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.

(cherry picked from commit 032e5b0a)

Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361

Developers should be able to use systrace with user builds.
This requires read access to /sys/kernel/debug/tracing/trace,
otherwise the following error occurs:

  $ atrace
  capturing trace... done
  TRACE:
  error opening /sys/kernel/debug/tracing/trace: Permission denied (13)

with the following SELinux denial:

  <4>[   79.830542] type=1400 audit(11940551.039:8): avc:  denied  { read } for  pid=1156 comm="atrace" name="trace" dev="debugfs" ino=3024 scontext=u:r:shell:s0 tcontext=u:object_r:debugfs:s0 tclass=file

At least on the kernel I've tested this on, debugfs doesn't support
setting SELinux file labels. Grant read access to all of debugfs to
work around this limitation.

Bug: 13904660
Change-Id: Ib58e98972c5012e9b34fec9e0a6094641638cd9a

avc:  denied  { search } for  pid=118 comm="installd" name="/" dev="mmcblk0p12" ino=2 scontext=u:r:installd:s0 tcontext=u:object_r:oemfs:s0 tclass=dir

Bug: 13340779
Change-Id: Id42f45080ba2c736921691dadfdfa429cf006663

Bug: 13340779
Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587

To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.

Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade.  init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.

Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.

Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

When SurfaceFlinger -- or any BufferQueue consumer -- releases a buffer, the
BufferQueue calls back into the producer side in case the producer cares.
This results in a notification from surfaceflinger to bootanim.

This callback started in d1c103655533321b5c74fbefff656838a8196153.

Addresses the following denial:

6.164348   type=1400 audit(1397612702.010:5): avc:  denied  { call } for  pid=128 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:bootanim:s0 tclass=binder

Change-Id: I6f2d62a3ed81fde45150d2ae3ff05822bfda33fe

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2

pstore contains /sys/fs/pstore/console-ramoops, which is the
replacement for /proc/last_kmsg. Both files are read by system_server
on startup. Allow access.

Addresses the following denials:

<12>[   53.836838] type=1400 audit(949060020.909:19): avc:  denied  { search } for  pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir
<12>[   53.856546] type=1400 audit(949060020.909:20): avc:  denied  { getattr } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.878425] type=1400 audit(949060020.909:21): avc:  denied  { read } for  pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.898476] type=1400 audit(949060020.909:22): avc:  denied  { open } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file

Change-Id: I7307da751961b242e68adb319da9c00192e77bbb

Bug: 9467042
Change-Id: Ice72e6c3047d1439e6fa6997b5f47f807f34b28d