Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72a)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c

To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

(cherry picked from commit 4d19f98c)

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1

(cherry picked from commit f2d07904)

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f

(cherry pick from commit 16fe52c9)

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983

Both appdomain and priv_app can set the default ringtones, so the
cache files need to be mlstrustedobject.

avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0

Bug: 27366059
Change-Id: Ib362f58b180a62bd46800083d6c538426f955b10

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

(cherry picked from commit 6cb2c893)

Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef

system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.

Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca

no longer used nor desired.

Change-Id: Iac447fb2291371caa4a8ec255db114d9f7ccdddb

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

Bug: 22032619
Chromium Bug: 586021

Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1

Bug: 27323882
Change-Id: Idf3977d74817c4f90f9e993d2e1e5302cc56f41d

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

Also narrowly specify the domain for the local transport's bookkeeping.

Bug 26834865

Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535

/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e

Shell user needs to be able to get current device battery_level via
/sys/class/power_supply/battery/capacity.  Create a global label and
corresponding policy for accessing this.  Rely on each device to label
the appropriate sysfs entry.

Bug: 26219114
Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

Initial check in of empty autoplay_app.te policy file.

Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.

Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.

Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049

This reverts commit 2dabf174.

Change-Id: I7e35a6ea1b8d5958c65eb04a7c9a04ba807b1181

Bug: 18068520
Bug: 21852542
Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff