dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.

Addresses the following denial:

  avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir

Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd

System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b

avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=3129 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

Change-Id: I802321331e9bd7ae41d3af7ace39364240db6d84

Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe

For the reasons explained in the pre-existing code, we don't want
to grant fsetid to netd, nor do we want denial messages to be
generated.

Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc

oat dir inside apk_tmp_file should be labeled as dalvikcache_data_file.

Bug: 19550105
Change-Id: Ie928b5f47bfc42167bf86fdf10d6913ef25d145d

Same change as 9819a6 but for nfc.

Nfc can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow nfc access
to bugreports.

Addresses the following denial:

  avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2015-03-30-04-49-57.txt" dev="mmcblk0p27" ino=82334 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file op_res=-13 ppid=435 pcomm="main" tgid=23475 tgcomm="m.android.shell"

Change-Id: I3efefcdb46444a1a6520803cb5e68bbdf29d3ad6

Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system

Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b

system_server no longer has universal service_manager_type permissions and so no
longer needs the auditallow rules therewith associated.

Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477

vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5

Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf

Executing dumpsys meminfo over the console shell requires that output go to the
console_device.  meminfo passes a fd to each applicaiton thread so that it can
do this in IApplicationThread.dumpMemInfo().  Allow use of this fd.

Addresses the following denial:
type=1400 audit(1426793987.944:4224): avc: denied { read write } for pid=1809 comm="Binder_4" path="/dev/console" dev="tmpfs" ino=5684 scontext=u:r:platform_app:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file

Bug: 17135173
Change-Id: Id5340a1fb3c8dbf41bda427720c4a0047bc557fc

Allow CAP_BLOCK_SUSPEND
Allow reading /dev/input/*

(cherrypicked from commit 2133c2a1)

Change-Id: I869a4921e024702300aa9ecba9cdf84ae2b6edac

Add rules to let sgdisk read/write to pts when forked from vold.

avc: denied { read write } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:sgdisk:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Also add rule to let it kick kernel to reload partition tables after
we finish editing them.  Without this capability, it leaves this
message and violation:

Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.

avc: denied { sys_admin } for capability=21 scontext=u:r:sgdisk:s0 tcontext=u:r:sgdisk:s0 tclass=capability permissive=0

Change-Id: If26a40f9fd3b1ab2c50156ae8bdb128676521b57

Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465

As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/


drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.

Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.

Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is for the new addAuthToken keystore method from
I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to
authorize keymaster operations. The tokens are HMAC'd and so shouldn't
be fakeable but this is still limited to system_server only.

Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47

Create new vold_fsck domain that only has access to vold_block
devices to prevent any access to internal userdata.

Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731

Add wakelock_use to slideshow.te to fix the following denial:

avc:  denied  { block_suspend } for  pid=137 comm="slideshow" capability=36  scontext=u:r:slideshow:s0 tcontext=u:r:slideshow:s0 tclass=capability2 permissive=0

Change-Id: If84f167cd235e8196eadf3fb85cc725a5ea464e6

This fixes the following policy violation:
avc: denied { read } pid=30295 comm="app_process"
tcontext=u:object_r:dalvikcache_data_file:s0
scontext=u:r:dumpstate:s0 tclass=lnk_file
permissive=0 ppid=26813 pcomm="dumpstate"
pgid=26813 pgcomm="dumpstate"

See 0e32726 in app.te for a symmetrical
change.

Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1

Change-Id: Ia279dfd11cc093e066bff66d7397dfe9e906aba8

avc: denied { read } for name="primary" dev="tmpfs" ino=3134 scontext=u:r:shell:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file

Change-Id: Id0ed2297a89054199fc73f27b18f717ae19c6778

An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1

The deprecated/deleted usbfs kernel driver gets really unhappy when
SELinux denies it access to directories. On flo (3.4.0 kernel), this
comes across as an SELinux denial followed by a kernel panic.

Steps to reproduce:

  1. plug in a USB device.
  2. notice nothing happens.
  3. unplug the USB device
  4. plug it in again, watch for restart.

Expected:
  USB device works

Actual:
  [329180.030242] Host mode: Set DC level as 0x68 for flo.
  [329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller
  [329180.030639] Unable to create devices usbfs file
  [329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir
  [329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1
  [329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000
  [deleted]
  [329180.120178] hub 1-0:1.0: USB hub found
  [329180.120452] hub 1-0:1.0: 1 port detected
  [329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070
  [329180.123443] pgd = c0004000
  [329180.123809] [00000070] *pgd=00000000
  [329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
  [329180.124481] CPU: 0    Tainted: G        W     (3.4.0-g2e8a935 #1)
  [329180.124908] PC is at mutex_lock+0xc/0x48
  [329180.125122] LR is at fs_create_file+0x4c/0x128
  [329180.125518] pc : [<c0916708>]    lr : [<c0440ec4>]    psr: a0000013
  [deleted]
  [329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128)
  [329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8)
  [329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68)
  [329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58)
  [329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18)
  [329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84)
  [329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68)
  [329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360)
  [329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84)
  [329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0)
  [329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98)
  [329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4)
  [329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4)
  [329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c)
  [329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774)
  [329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488)
  [329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4)
  [329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90)
  [329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8)

Allow the usbfs operation.

Bug: 19568950
Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e

Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209

Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df