Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4

Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d

Address the following denial:
02-12 07:51:42.702: E/SELinux(158): avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:bluetooth:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

which occurs when the remote service starts up.
02-12 07:51:42.702: E/ServiceManager(158): find_service('SurfaceFlinger') uid=1002 - PERMISSION DENIED
02-12 07:51:42.702: I/ServiceManager(2827): Waiting for service SurfaceFlinger...
02-12 07:51:42.959: E/ActivityManager(469): ANR in com.google.android.remote.tv.services
02-12 07:51:42.959: E/ActivityManager(469): PID: 2827
02-12 07:51:42.959: E/ActivityManager(469): Reason: executing service com.google.android.tv.remote/.RemoteService

Bug: 19268019
Change-Id: I2d415c2ea2f70cf71851147253cf6e1906fd0940

This was observed when attempting to change volume for a bluetooth device
supporting AVRCP volume control.

Addresses the following denials:
avc:  denied  { find } for service=media.audio_flinger scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
avc:  denied  { find } for service=media.audio_policy scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 19341236
Change-Id: If7f2ff1ea9fc694bad700cf59f400f2d2df8c2dd

Address the following denial:
SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:bluetooth:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Encountered when remote service attempts access:
02-04 00:15:19.174 E/AndroidRuntime(10847): FATAL EXCEPTION: main
02-04 00:15:19.174 E/AndroidRuntime(10847): Process: com.google.android.remote.tv.services, PID: 10847
02-04 00:15:19.174 E/AndroidRuntime(10847): java.lang.RuntimeException: Unable to create service com.google.android.tv.remote.RemoteService: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.exist(java.lang.String, int)' on a null object reference
02-04 00:15:19.174 E/AndroidRuntime(10847):         at android.app.ActivityThread.handleCreateService(ActivityThread.java:2801)

Bug: 19268019
Change-Id: I86f85cb19c5540bf041c82ec9a8088aacae67792

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Bluetooth can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow bluetooth access
to bugreports.

Addresses the following denial:

  avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2014-12-19-15-35-32.txt" dev="dm-0" ino=662738 scontext=u:r:bluetooth:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Change-Id: I7be2ce2e0e48323c1e8f932be17b434b89daf085

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc205)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f

Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.

Resolves denials, in 3rd party apps, such as:

avc:  denied  { setopt } for  pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket

Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>

bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658

Resolves denials such as:
avc:  denied  { ioctl } for  pid=6390 comm="m.wimmcompanion" path="socket:[472596]" dev="sockfs" ino=472596 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Idd4fa219fe8674c6e1c40211b3c105d6276cfc5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

(cherry picked from commit 495e9d12)

Change-Id: Ie38979416b36b4452375d58baff46f14b78f1bad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Iea7790aa4f8e24f3ec0d2c029933a3902333472e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow bluetooth to handle media_rw_data_file file descriptors
sent to it from other processes. Without this, bluetooth
picture / video sharing is broken.

Steps to reproduce:
1. Take few pictures
2. launch gallery and choose a picture/video and click on share and choose
   available BT device and share

Other info from bug report:

- Bluetooth process queries media content provider for a file descriptor,
  with an Uri like "content://media/external/images/media/69"
- Media server resolves the uri to a file on the filesystem, in the case of
  Gallery at "/storage/emulated/0/DCIM/Camera/IMG_20140128_141656.jpg"
- Media server returns the FD over binder to bluetooth
- Bluetooth is unable to read the file backed by the file descriptor.

Fixes Denial:

<5>[  821.040286] type=1400 audit(1390952161.805:11): avc:  denied  { read } for  pid=1348 comm="Binder_3" path="/data/media/0/DCIM/Camera/IMG_20140128_141656.jpg" dev="mmcblk0p23" ino=236246 scontext=u:r:bluetooth:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Bug: 12457805
Change-Id: I1423d06a98416ae4ab19508f0d005a6353acadc4

Previous bluetooth denials should be addressed by
I14b0530387edce1097387223f0def9b59e4292e0.

Change-Id: I5c6b44a142a7e545230b89df9c4500ce2fab4ab6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858

The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5f.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a

The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5f.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a

Change-Id: I6243819e7c9d71c561e77014b49456e9afc11153
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*.  bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former.  This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).

Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Some bluetooth implementations write to bluetooth.* properties.
It seems reasonable to allow this for all bluetooth implementations.

This addresses the following denial (seen on mako):

<4>[  132.182755] avc:  denied  { set } for property=bluetooth.hciattach scontext=u:r:bluetooth:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=property_service

Change-Id: I6d92c0ff108838dd1107c5fb3c436699ef824814

Remove unconfined_domain() from the bluetooth app domain,
restore the rules from our policy, and move the neverallow
rule for bluetooth capabilities to bluetooth.te.
Make the bluetooth domain permissive again until it has
received sufficient testing.

Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

Properties under bluetooth. and persist.service.bdroid. are
considered Bluetooth-related properties.

Change-Id: Iee937d9a1184c2494deec46f9ed7090c643acda7

Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>