Initial check in of empty autoplay_app.te policy file.

Create isAutoPlayApp input selector. Give this selector high precedence -
only below isSystemServer.

Add neverallow rule disallowing an app context with isAutoPlayApp=true from
running in a domain other than autoplay_app.

Change-Id: I1d06669d2f1acf953e50867dfa2b264ccaee29a4

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.

Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 92dfa31f added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.

This causes a crash when system_server attempts to start shared_relro.

  W art     : PreZygoteFork called when we already have a zygote space.
  E SELinux : seapp_context_lookup:  No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
  E SELinux : selinux_android_setcontext:  Error setting context for app with uid 1037, seinfo (null): Success
  E Zygote  : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
  F art     : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
  I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
  F art     : art/runtime/runtime.cc:331] Runtime aborting...
  F art     : art/runtime/runtime.cc:331] Aborting thread:
  F art     : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
  F art     : art/runtime/runtime.cc:331]   | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
  F art     : art/runtime/runtime.cc:331]   | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
  F art     : art/runtime/runtime.cc:331]   | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  F art     : art/runtime/runtime.cc:331]   | stack=0xbe39d000-0xbe39f000 stackSize=8MB
  F art     : art/runtime/runtime.cc:331]   | held mutexes= "abort lock" "mutator lock"(shared held)
  F art     : art/runtime/runtime.cc:331]   kernel: (couldn't read /proc/self/task/1176/stack)
  F art     : art/runtime/runtime.cc:331]   native: (backtrace::Unwind failed for thread 1176)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
  F art     : art/runtime/runtime.cc:331]   at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)

removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:

  E SELinux : avc:  denied  { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
  E SELinux : avc:  denied  { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Add the needed SELinux rule.

Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810

The current policy would allow any application that were to
"magically" get a sensitive UID into the coresponding
sensitive domain. Rather then only using UID as an input
selector, require seinfo=platform.

Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec

Add levelFrom=user to the entries for apps other than those
that run in the predefined platform UIDs (e.g. system, nfc, radio, ...).
This causes libselinux to assign a per-user category set computed from
the user ID portion of the Linux UID to each app process and its
/data/data/<pkgdir> or /data/user/N/<pkgdir> directory.  These
per-user category sets can be seen in the last field of ps -Z output for
apps and ls -Z /data/data or /data/user/N output for the package
directories.

With this applied, apps running on behalf of one user cannot read
or write files created by apps running on behalf of another user,
even if the file is world-readable or -writable.  Similar isolation is
enforced over process interactions (including /proc/pid file access),
local socket communications, and System V IPC, as expressed in the
set of constraints defined in the mls configuration.  At present,
Binder IPC is not restricted by the mls configuration; if desired,
there is a constraint in the configuration that can be uncommented
to also apply isolation on direct binder IPC, although communication
will still be possible indirectly via the system_server.

Bug: 13507660
Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.

Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Needed to support https://android-review.googlesource.com/80871

Change-Id: Iba569c046135c0e81140faf6296c5da26a243037

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a trivial change to seapp_contexts to force a relabel
of /data/data directories by PMS/installd by yielding a
different hash value for comparison against /data/system/seapp_hash.
This change does not alter any actual app process or data directory
labeling decisions.  The seapp_contexts entries are sorted upon
loading by libselinux to match the precedence rules described
in the comment header, so ordering in this file should not matter.

This should not be merged before the code changes with the same Change-Id.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/



Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In the absence of any levelFrom= specifier, the default is none,
so this is unnecessary and conspicuous in contrast to all other
entries.  It came from switching our default of levelFrom=app
to levelFrom=none in AOSP rather than just dropping it.

Change-Id: Ia2f8c72200318ef66a1b6d6b6c117f8848441d7f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.

After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.

Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.

Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

In the process of taking a bugreport, "dumpstate -B" will instruct
zygote to fire up com.android.shell, which runs as UID=2000.
This transition was not included in seapp_contexts, so zygote
didn't know how to properly set the context for the shell user.

Add an entry to allow zygote to know what to do with UID=2000
requests.

Bug: 9588981
Change-Id: I2e726be8d58437ef1de3bcbad3b897a97ed18e22

In the process of taking a bugreport, "dumpstate -B" will instruct
zygote to fire up com.android.shell, which runs as UID=2000.
This transition was not included in seapp_contexts, so zygote
didn't know how to properly set the context for the shell user.

Add an entry to allow zygote to know what to do with UID=2000
requests.

Bug: 9588981
Change-Id: I2e726be8d58437ef1de3bcbad3b897a97ed18e22

Change-Id: I555361d732b8f1bdc90c231a3183a85526a5a558

Change-Id: Ib37b392cb6f6d3fb80852b9a2a6547ab86cd9bff
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I555361d732b8f1bdc90c231a3183a85526a5a558

Introduce a levelFrom=none|app|user|all syntax for specifying
per-app, per-user, or per-combination level assignment.
levelFromUid=true|false remains valid syntax but is deprecated.
levelFromUid=true is equivalent to levelFrom=app.

Update check_seapp to accept the new syntax.
Update seapp_contexts to document the new syntax and switch
from levelFromUid=true to levelFrom=app.  No change in behavior.

Change-Id: Ibaddeed9bc3e2586d524efc2f1faa5ce65dea470
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

The app_* syntax was a legacy of the original approach of looking up
the username returned by getpwuid() and the original username encoding
scheme by bionic.  With the recent changes to move away from this approach,
there is no reason to retain that syntax.  Instead, just use _app to match
app UIDs and _isolated to match isolated service UIDs.  The underscore
prefix is to signify that these are not real usernames and to avoid
conflicts with any system usernames.

Requires a corresponding change to libselinux.

Change-Id: Ic388a12c1c9d3e47386c8849db607140ef8a3d75
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Used when an app service is declared with android:isolatedProcess="true".
Place such processes in a separate domain, and further isolate them
from each other via categories.

Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.

Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.