Address the following denial:
SELinux  E  avc:  denied  { find } for service=drm.drmManager scontext=u:r:radio:s0 tcontext=u:object_r:drmserver_service:s0

which occurs when a non-default SMS app sends an MMS. The message would be
stored into system automatically in MMS service (from phone process and phone
UID). The storing of the message involves the creation of
android.drm.DrmManagerClient instance.

Change-Id: Ic4e493f183c9ce7f7ac3f74f6ea062893ea67608

Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd

system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c

Bug: 19186859

Change-Id: Ic08858f346d6b66e7bfc9da6faa2c6e38d9b2e82

Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571

Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.

Addresses the following denial:

  type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95

dumpsys from shell results in many denials:
11-08 02:52:13.087   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.089   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.093   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.103   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.104   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.118   171   171 E SELinux : avc:  denied  { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
11-08 02:52:13.130   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.379   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.388   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.574   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.576   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 18799966
Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc

external/sepolicy commit 99940d1a
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf

system_app tries to access files in /data/data (lnk_files).
But due to permission issue it is not able to access the
link files.

Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059

Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.

This reverts commit 9de62d6f.

Bug: 17471434
Bug: 18609318
Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470

On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.

Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.

Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808

Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8

Address the following log entry:
SELinux : avc:  granted  { find } for service=power scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:power_service:s0 tclass=service_manager

Change-Id: Id750ba9f99c622351fb3206ad007eae8a713adea

Grant shell read access to /proc taken away by
commit: 0d3f7ddc

Addresses the following denials encountered when running ps or top.

Bug: 18799966
Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89

avc: denied { create } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { bind } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { getopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { write } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { read } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1

Bug: 18335678
Change-Id: I7c03d55b4719d0fd8057507bf8ac1cf573e4744a

Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4

Address the following denials:
SELinux : avc:  denied  { find } for service=phone scontext=u:r:nfc:s0 tcontext=u:object_r:radio_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=nfc scontext=u:r:nfc:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18929632

Change-Id: I54c3d194f9401eb5dc6f2114ebddea241c433f71

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.

Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f

Commit 92dfa31f added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.

This causes a crash when system_server attempts to start shared_relro.

  W art     : PreZygoteFork called when we already have a zygote space.
  E SELinux : seapp_context_lookup:  No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
  E SELinux : selinux_android_setcontext:  Error setting context for app with uid 1037, seinfo (null): Success
  E Zygote  : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
  F art     : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
  I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  F art     : art/runtime/runtime.cc:331] Runtime aborting...
  F art     : art/runtime/runtime.cc:331] Aborting thread:
  F art     : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
  F art     : art/runtime/runtime.cc:331]   | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
  F art     : art/runtime/runtime.cc:331]   | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
  F art     : art/runtime/runtime.cc:331]   | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  F art     : art/runtime/runtime.cc:331]   | stack=0xbe39d000-0xbe39f000 stackSize=8MB
  F art     : art/runtime/runtime.cc:331]   | held mutexes= "abort lock" "mutator lock"(shared held)
  F art     : art/runtime/runtime.cc:331]   kernel: (couldn't read /proc/self/task/1176/stack)
  F art     : art/runtime/runtime.cc:331]   native: (backtrace::Unwind failed for thread 1176)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)

removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:

  E SELinux : avc:  denied  { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
  E SELinux : avc:  denied  { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Add the needed SELinux rule.

Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810

Address the following denial:
SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:system_app:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Change-Id: I6bd5d2490c7d4aa06a645c1ee293f2b3db21968b

The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9

Commit 0d08d472 added two auditallow
statements. The intented purpose of the auditallow statement was:

  auditallow accesses by init to files
  and character devices left in the generic device type so we can monitor
  what is being left there, although it is not necessarily a problem unless
  the file or device should be accessible to others.

As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.

Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.

Remove the unactionable auditallow statements.

Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426

uncrypt needs to be able to read OTA files in GMS core's home
directory, which is protected with MLS. Mark uncrypt as an
mlstrustedsubject so that it can read the files.

Addresses the following denial (and probably others):

  uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Remove the auditallow line for uncrypt. Per dd053a9b,
the auditallow line was added to confirm that uncrypt was actually
accessing the userdata block device. The access to the userdata block
device is definitely occurring, and auditing it doesn't add any value.
Remove the auditing.

Eliminates the following unnecessary audit lines:

  avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
  avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file

Tighten up userdata block access to write-only. uncrypt never reads
directly from the block device.

Testing:

  1) Create the file /cache/recovery/command with a line like:
  --update_package=/data/data/com.google.android.gms/foo.zip
  2) Create the file /data/data/com.google.android.gms/foo.zip
  (contents not important)
  3) Run "setprop ctl.start pre-recovery"

Expected: No SELinux denials.
Actual: SELinux denials

Bug: 18875451
Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d

Addresses the following denials:
avc:  denied  { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc:  denied  { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4

On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.

The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:

  avc:  denied  { unlink } for  pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
  fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered

There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
https://android.googlesource.com/platform/system/core/+/f67d6bd3c0fb41d167c675b9d2b5d377b6f38a74

Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042

 platform_app.

Address the following denials:
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manage
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Bug: 18831075
Change-Id: I2c162f58f4adae9f6c544f9d9c6a9300877b4f36