This change supports external/libselinux changes to implement
PCRE formatted binary file_contexts and general_file_contexts.bin
files.

The $(intermediates) directory will contain the original text file
(that is no longer used on the device) with a .tmp extension as well
as the .bin file to aid analysis.

A CleanSpec.mk file is added to remove the old file_contexts file.

Change-Id: I75a781100082c23536f70ce3603f7de42408b5ba
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

There are no guarantees on the order of the results from a call to the
wildcard function. In fact, the order usually changes between make 3.81
and make 4.0 (and kati).

Instead, sort the results of wildcard in each sepolicy directory, so
that directory order is preserved, but content ordering is reliable.

Change-Id: I1620f89bbdd2b2902f2e0c40526e893ccf5f7775

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

The device-independent code only needs read access to sysfs, and this
appears to be enough for at least some devices (Nexus 5).

Bug: 22827371
Change-Id: I3b7b068e98f11f9133f0bdea8ece363e4bd89ae8

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049

This reverts commit 2dabf174.

Change-Id: I7e35a6ea1b8d5958c65eb04a7c9a04ba807b1181

Bug: 18068520
Bug: 21852542
Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff

Change-Id: I9496af008aa3ad1bf33fb5911c8dd711af219440

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac

Allow device builders to pass arbitrary m4 definitions
during the build via make variable BOARD_SEPOLICY_M4DEFS.
This enables OEMs to define their own static policy build
conditionals.

Change-Id: Ibea1dbb7b8615576c5668e47f16ed0eedfa0b73c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Improve incremental ninja builds by keeping the command line the same
across builds.

Change-Id: Iedbaa40c9f816f91afc8f073a9ed7f9ffd5d9a53

Change-Id: Iae3edba40a94f78e78c0cc89a03e3f5a098d3909
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: I34db8855a55426f6a590a89cc6c157e1ccd50ff9

This is in addition to /data/lib.
Only affects SANITIZE_TARGET=address builds.

Bug: 21785137
Change-Id: Id1983cabb9479ae2d38fb23691de3eba236fe9cb

Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57

Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 20755029
Change-Id: I0268eb00e0eb43feb2d5bca1723b87b7a44f31a9

/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.

Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f

Lowercase local variables and clear them to be
consistent with other recipes and prevent polluting
Make's global name space with set variables.

Change-Id: If455cd4f33d5babbea985867a711e8a10c21a00f
Signed-off-by: William Roberts <william.c.roberts@intel.com>

avc: denied { write } for pid=14742 comm="procrank" path="/data/data/com.android.shell/files/bugreports/bugreport-2015-07-02-22-17-43.txt.tmp" dev="dm-2" ino=44479 scontext=u:r:procrank:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 22400298
Change-Id: Ibf5dcf9f7edf416e977577afc32bbbef62e50974

To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: I040904b69b98c49d60546f024f5ace5b7c6f7d5e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Ie800ebf9d8e68680ec377e8c51f7cd7717f3c755
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Ibd22582deb24fde49cdb71b8754446f3948db36c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Produce a list of neverallow assertions from seapp_contexts into
a separate file, general_seapp_context_neverallows, to be used
during CTS neverallow checking.

Change-Id: I171ed43cf4ae4961f66d5d8f56695345493f1261
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: If944d8bd1e324f6500920ee3c5d44611ec7f8af9
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Introduce "neverallow" rules for seapp_contexts. A neverallow rule is
similar to the existing key-value-pair entries but the line begins
with "neverallow". A neverallow violation is detected when all keys,
both inputs and outputs are matched. The neverallow rules value
parameter (not the key) can contain regular expressions to assist in
matching. Neverallow rules are never output to the generated
seapp_contexts file.

Also, unless -o is specified, checkseapp runs in silent mode and
outputs nothing. Specifying - as an argument to -o outputs to stdout.

Sample Output:
Error: Rule in File "external/sepolicy/seapp_contexts" on line 87: "user=fake domain=system_app type=app_data_file" violates neverallow in File "external/sepolicy/seapp_contexts" on line 57: "user=((?!system).)* domain=system_app"

Change-Id: Ia4dcbf02feb774f2e201bb0c5d4ce385274d8b8d
Signed-off-by: William Roberts <william.c.roberts@intel.com>

rule_map_free() took as a parameter a boolean menu rule_map_switch
that was used to determine if it should free the key pointer that
is also in the table. On GLIBC variants, calls to hdestroy do not
free the key pointer, on NON-GLIBC variants, it does. The original
patch was meant to correct this, however, it always passes "destroy"
as the rule_map_switch. On GLIBC variants this is fine, however on
NON-GLIBC variants, that free was compiled out, and the free() was
handled by hdestroy. In cases of failure where the rule_map was not
in the htable, those key's were not properly free'd.

Change-Id: Ifdf616e09862bca642a4d31bf0cb266168170e50
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I2aef01ba72cae028d5e05deddbdeff674f9a534d

Change-Id: I00aa4eeaf569c8108a7b6aab190be68e53b46597
Signed-off-by: William Roberts <william.c.roberts@intel.com>