Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change I9e35cc93abf89ce3594860aa3193f84a3b42ea6e changed the type
on /data/misc/wifi/sockets to wpa_socket and change
I51b09c5e40946673a38732ea9f601b2d047d3b62 fixed the type on existing
devices.  Consequently hostapd now needs access to wpa_socket dir
and sock_file.

Change-Id: I58f552b3cd55821f57e6ef33ebe6bb8587e7b3fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  clatd does exist in AOSP
and is built by default, and is started via netd.

Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I096025c1820f0b51f1abdf249c744cba387e0a65
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add rules from our policy.

Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also add allow rules from our policy.

Change-Id: Id480eb7c8cd4e5544a1ec46cb39a55abc653ddb9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  Of course we cannot truly
test until it is released into AOSP, but this prepares the way
and potentially allows for internal testing and collection of denials.

Change-Id: Ic9d1ba872d43f322e39ca6cffa0e725f1e223e7b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  Of course we cannot truly
test until it is released into AOSP, but this prepares the way
and potentially allows for internal testing and collection of denials.

Change-Id: I800ab23baee1c84b7c4cf7399b17611a62ca6804
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Steps to reproduce across devices.
  adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4

* Allow surfaceflinger to talk to mediaserver
   avc:  denied  { call } for  pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder

* Give mediaserver access to gpu_device
   avc:  denied  { read write } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { open } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { ioctl } for  pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

In order to prevent Zygote descriptors from leaking into the child
environment, they should be closed by the forked-off child process
before the child switches to the application UID.  These changes close
the descriptors via dup2(), substituting a descriptor open to
/dev/null in their place; this allows the Zygote Java code to close
the FileDescriptor objects cleanly.

This is a multi-project change: dalvik, art, libcore, frameworks/base,
and external/sepolicy are affected.  The CLs need to be approved
together, lest the build break or the software fail to boot.

Bug: 12114500
Change-Id: Ie45ddf6d661a1ea8570cd49dfea76421f2cadf72

Image transfer over NFC is broken.

  STEPS TO REPRODUCE:
  -----------------------------------------
  1. Launch Gallery and open any picture
  2. Keep two devices close each other
  3. Tap on 'Touch to Beam' option on sender device and observe receiver device

  OBSERVED RESULTS:
  'Beam did not complete' message showing in Notification window.

  EXPECTED RESULTS:
  Beam should complete successfully and able to share picture through Beam

  ADDITIONAL INFORMATION :
  Device : Hammerhead
  Reproducibility : 3/3

Addresses the following denials:

<5>[ 3030.955024] type=1400 audit(1391625834.066:72): avc:  denied  { call } for  pid=311 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:nfc:s0 tclass=binder
<5>[ 3049.606559] type=1400 audit(1391625852.716:74): avc:  denied  { write } for  pid=26850 comm="id.nfc:handover" name="0" dev="fuse" ino=3086221568 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.606802] type=1400 audit(1391625852.716:75): avc:  denied  { add_name } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.607068] type=1400 audit(1391625852.716:76): avc:  denied  { create } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610602] type=1400 audit(1391625852.716:77): avc:  denied  { remove_name } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610870] type=1400 audit(1391625852.716:78): avc:  denied  { rename } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 12891504
Change-Id: I10dc964db9249f53a2b4d8fe871ad9a036c423a2

This doesn't compile on non-manta devices because of a
missing drmserver_socket declaration.

external/sepolicy/mediaserver.te":68:ERROR 'unknown type drmserver_socket' at token ';' on line 6764:
#line 68
allow mediaserver drmserver_socket:sock_file write;
checkpolicy:  error(s) encountered while parsing configuration
make: *** [out/target/product/flo/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....

This reverts commit 8cd400d3.

Change-Id: Ib8f07b57008b9ed1165b945057502779e806f0f8

So that we do not relabel them on a restorecon -R /data.

Change-Id: I8dd915d9bb80067339621b905ea2b4ea0fa8d71e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I7d5a5f964133177e7d466b9759fcf6300fec345d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

With wpa_supplicant in enforcing, wpa_cli doesn't work.

Denial:

type=1400 audit(1390597866.260:59): avc:  denied  { write } for  pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and
I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets
directory is labeled properly. This change allows the communication
between the su domain and wpa.

Steps to reproduce:
  Start wifi (so wpa_supplicant will run)
  Start wpa_cli - it will hand
  $ adb root
  $ adb shell
  # wpa_cli -g @android:wpa_wlan0

Bug: 12721629
Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5

This will ensure that any sockets created in this directory
will default to wpa_socket unless a type_transition is defined.
Define a type transition for system_server to keep its separate
system_wpa_socket type assigned for its socket.  Allow wpa
to create and unlink sockets in the directory.  We leave the
already existing rules for wifi_data_file in place for compatibility
with existing devices that have wifi_data_file on /data/misc/wifi/sockets.

Change-Id: I9e35cc93abf89ce3594860aa3193f84a3b42ea6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8

Rather, enforce that a relabel should be done. This
tightens an existing assertion.

Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904

Rather then allowing open,read,write to raw block devices, one
should relabel it to something more specific.

vold should be re-worked so we can drop it from this assert.

Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf

Commit Icc5febc5fe5a7cccb90ac5b83e6289c2aa5bf069
introduced a new error check for non existent
BOARD_SEPOLICY_UNION files. Need an update to
the docs describing the change.

Change-Id: If96c9046565b05e0811ab2d526ae12a3b8b90bf0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

We can read any efs_files, but can't look in the directory
containing them. Allow it.

Without this patch, high resolution movie playback is broken.

Addresses the following denial:

[  276.780046] type=1400 audit(1391105234.431:5): avc:  denied  { search } for  pid=125 comm="drmserver" name="/" dev="mmcblk0p1" ino=2 scontext=u:r:drmserver:s0 tcontext=u:object_r:efs_file:s0 tclass=dir

Bug: 12819852

Change-Id: Ie9d13a224cef5e229de1bdb78d605841ed387a21