Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.

Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.

Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"

service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"

property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"

Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

An auditallow has been in place since commit
cb835a28 but nothing has been triggered.
Remove the rule.

Bug: 25768265
Change-Id: Ia9f35c41feabc9ccf5eb5c6dae09c68dc4f465ff

Yes, it's being used.

  type=1400 audit(0.0:19391): avc: granted { read write } for comm="Binder_4" path="socket:[1354209]" dev="sockfs" ino=1354209 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19392): avc: granted { read } for comm="pandora.android" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19393): avc: granted { read } for comm="TransportReader" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19398): avc: granted { shutdown } for comm="AppLinkBluetoot" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19400): avc: granted { getopt } for comm="AppLinkBluetoot" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:12517): avc: granted { write } for comm="MultiQueueWrite" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:12563): avc: granted { read } for comm="WearableReader" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

and a lot more...

Bug: 25767747
Change-Id: I15f89be1f44eef471e432e6d9f9ecb60a43801f8

Deal with a few audit failures

Bug: 24200279
Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a

The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".

Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.

Addresses the following denials:

  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1

Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69

Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35

Per https://android-review.googlesource.com/185392 , ctl.* properties
are not represented as files in the filesystem. So there's no need
to grant read access to them, since it's pointless.

Remove core_property_type from these properties, which has the net
effect of removing read access to these non-existent files.

Change-Id: Ic1ca574668a3511c335a7036a2bb7993ff02c1e3

Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

am: e8b176ed

* commit 'e8b176ed':
  Allow update_verifier to access bootctrl_block_device.

am: 71fd337f

* commit '71fd337f':
  Change /dev/ion from read-only to read-write

Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f

am: 9a3d490e

* commit '9a3d490e':
  Migrate to upstream policy version 30

am: 99c78bf2

* commit '99c78bf2':
  shell.te: Restore /proc/net access

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

The removal of domain_deprecated from the shell user in
https://android-review.googlesource.com/184260 removed /proc/net access.
Restore it.

Bug: 26075092
Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4

am: 44826cb5

* commit '44826cb5':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

am: 5e8402df

* commit '5e8402df':
  adbd: allow ddms screen capture to work again

The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2

am: b899f4fc

* commit 'b899f4fc':
  adbd: allow "adb pull /sdcard/"

The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.

Addresses the following denials:

  avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
  avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0

Change-Id: I70257933f554abd008932c7f122dd0151f464b05

am: 83fd8a54

* commit '83fd8a54':
  Increase communication surface between dumpstate and Shell:

- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895

am: f6a0b144

* commit 'f6a0b144':
  rild: Remove toolbox_exec perms

am: 29b9532a

* commit '29b9532a':
  shell.te: Allow read access to system_file

Certain tests depend on the ability to examine directories
in /system. Allow it to the shell user.

Addresses the following denials:

  avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26020967
Bug: 26023420
Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14

Confirmed via audit logs that it is not required.

Change-Id: I01d4b7ec15d4c852a9f28daf0b40ab4bce930125

am: 98c3f997

* commit '98c3f997':
  Further restrict access to tun_device

Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1

am: 6fa6bdb6

* commit '6fa6bdb6':
  Support fine grain read access control for properties