tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC.  We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc:  denied  { execute } for  pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Will likely want to split into adbd_user.te vs adbd.te before
going enforcing to support adb root and adb remount on non-user builds.
Possibly take all common rules to an adbdcommon.te.

Change-Id: I63040c7f5f0fca10b3df682572c51c05e74738a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I11b185ff539915174bd2da53bfaa2cad87173008
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This showed up at some point in the past during our own
internal CTS testing but it seems wrong based on the DAC
permissions and a potential way to inject code into apps
from the shell.  Drop it for now and see if it shows up again.
This predates userdebug/eng vs user shell split so possibly
it only happens in the userdebug/eng case.

Change-Id: If8b1e7817f8efecbf68a0ba5fd06328a23a6c6db
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the shell user to set debug.* properties.
This allows systrace to work on Android.

Allow the shell user to set sys.powerctl, to allow reboots
to work.

Addresses the following denials:

<4>[ 2141.449722] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.450820] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.506703] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.507591] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service

Bug: 12231073
Change-Id: Iaba1db06ba287c7d5d10ce287833c57238e03bb6

Allow adb shell to run dumpsys.

Addresses the following denials:

23.720402   type=1400 audit(1387473582.512:12): avc:  denied  { read write } for  pid=1469 comm="dumpsys" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
23.862719   type=1400 audit(1387473582.652:13): avc:  denied  { getattr } for  pid=696 comm="Binder_3" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

Change-Id: I6c56f9267d769d579514dca3cfde8d5a99170456

When encrypting a device, vold tries to acquire a wake lock,
to prevent the device from sleeping. Add an allow rule.

After booting with a freshly encrypted device, fsck logs data to
/dev/fscklogs/log . Add an allow rule.

Addresses the following denials.

wake lock:

<5>[  372.401015] type=1400 audit(1387488823.195:6): avc:  denied  { read write } for  pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
<5>[  127.274556] type=1400 audit(1387494536.080:8): avc:  denied  { open } for  pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

fsck logging:

<5>[   44.759122] type=1400 audit(1387489522.460:6): avc:  denied  { search } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.559964] type=1400 audit(1387495221.265:6): avc:  denied  { write } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560081] type=1400 audit(1387495221.265:7): avc:  denied  { add_name } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560244] type=1400 audit(1387495221.265:8): avc:  denied  { create } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.560383] type=1400 audit(1387495221.265:9): avc:  denied  { write open } for  pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.582520] type=1400 audit(1387495221.285:10): avc:  denied  { getattr } for  pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file

Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5

I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.

Addresses the following denial:

14.711671   type=1400 audit(1387474628.570:6): avc:  denied  { block_suspend } for  pid=533 comm="InputReader" capability=36  scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2

Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47

Change-Id: I1eba1535d650a09ee7640cb7f3664202be4a0a55
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

bluetooth, nfc, radio and shell are not explicitly declared
in installd.te. This prevents applications in those group
from upgrading by "adb install -r".

You can reproduce the issue by following step:
 1. adb pull /system/priv-app/Shell.apk
 2. adb install -r Shell.apk
 3. install failed with the error log blow

[Error in logcat]
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/com.android.shell-1': Permission denied
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/Shell': Permission denied

[Error in dmesg]
<5>[  112.053301] type=1400 audit(1387412796.071:10): avc:  denied  { create } for  pid=337 comm="installd" name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=lnk_file

This operation fails only if the app belongs to any of the
groups specified in the commit title.

Change-Id: I7572df9fb6e471fad34f61137f0eeeda4c82659d

Addreseses the following denials:

<5>[  695.383994] type=1400 audit(1387403898.292:55): avc:  denied  { execute } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.384727] type=1400 audit(1387403898.292:56): avc:  denied  { read open } for  pid=5187 comm="dumpstate" name="ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.385418] type=1400 audit(1387403898.292:57): avc:  denied  { execute_no_trans } for  pid=5187 comm="dumpstate" path="/system/bin/ping" dev="mmcblk0p25" ino=213 scontext=u:r:dumpstate:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  695.391978] type=1400 audit(1387403898.302:58): avc:  denied  { create } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393193] type=1400 audit(1387403898.302:59): avc:  denied  { setopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.393753] type=1400 audit(1387403898.302:60): avc:  denied  { getopt } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.394886] type=1400 audit(1387403898.302:61): avc:  denied  { write } for  pid=5187 comm="ping" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket
<5>[  695.400693] type=1400 audit(1387403898.312:62): avc:  denied  { read } for  pid=5187 comm="ping" lport=4 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=rawip_socket

Change-Id: If9a790725ec0ba1ca6cb5c9a8ed85288580940e8

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.

We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system.  We should not have to allow it to untrusted_app.

Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.

Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In 61dc3507, I forgot to allow
system_server to run getopt/getattr on the zygote socket.

Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6

The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

Add a placeholder domain for inputflinger.
Mark it initially unconfined and enforcing.

Change-Id: I433fd9e1954486136cb8abb084b4e19bb7fc2f19

This addresses the review comments from
https://android-review.googlesource.com/#/c/69855/

Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f

And allow any SELinux domain to read these timezone
related files.

Addresses the following denial:
<5>[    4.746399] type=1400 audit(3430294.470:7): avc:  denied  { open } for  pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86

Alphabetize the entries for the /data/misc subdirectories.

Change-Id: I3690085cbb99c225545545668dedd66341a14edb

Change-Id: I9d87c35cc8d4ffffab4f7c28f3d3d43f85b10123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I55d059cf6b9e13a81545d3d8b8ff86befc89d6b3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>