When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The recovery and update_binary need to access the /oem partition for
devices like sprout.

Bug: 19764039
Change-Id: I3647c5d72ed708cd797968669fa1116a3ba39542
(cherry picked from commit d245789c)

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.

Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd

Bug: 18642766

Change-Id: I97d6ab0b76b69d99dcc1928232c8961437e1e68c
Signed-off-by: Patrick Tjin <pattjin@google.com>

Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

(cherrypicked from commit 683ac49d)

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e

Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45

Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d

Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816

Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.

The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.

Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.

Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:

  type=1400 audit(17964905.699:7): avc:  denied  { search } for  pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir

Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59

Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3

The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.

Addresses the following denials:

  avc:  denied  { relabelto } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
  avc:  denied  { setattr } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94

The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.

Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

execute_no_trans controls whether a domain can execve a program
without switching to another domain.  Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon).  Prohibit it otherwise for the
kernel domain via neverallow.  This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.

Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

[  265.263738] type=1400 audit(17091747.819:4): avc:  denied  { write } for  pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[  265.293154] type=1400 audit(17091747.849:5): avc:  denied  { execute } for  pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[  265.299479] type=1400 audit(17091747.859:6): avc:  denied  { setgid } for  pid=177 comm="recovery" capability=6  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[  265.299511] type=1400 audit(17091747.859:7): avc:  denied  { read write } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299531] type=1400 audit(17091747.859:8): avc:  denied  { open } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299863] type=1400 audit(17091747.859:9): avc:  denied  { setuid } for  pid=177 comm="recovery" capability=7  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time.  The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).

Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow.  This ensures that the no write to /system
restriction cannot be bypassed via context= mount.

Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:

  set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
  set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");

which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.

Allow this behavior for now, even though it's obviously a bug.

Also, allow recovery to read through the /dev directory.

Addresses the following denials:
  avc:  denied  { read } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { open } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { relabelto } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { getattr } for  pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { setattr } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { relabelfrom } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir

Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127

single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:

  external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:

Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b

Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154

Make sure we have all necessary rules to modify system_file and
exec_type.

Allow writing to /proc/sys/vm/drop_caches and other proc
files.

Addresses denials like:

  avc:  denied  { getattr } for  pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { read } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { open } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { remove_name } for  pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { add_name } for  pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { write } for  pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file

recovery is still in permissive_or_unconfined(), so no rules are
being enforced.

Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59

Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.

Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.

Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c

Switch from using unconfined_domain() to permissive_or_unconfined().
For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true,
this is a no-op. For userdebug / eng builds, this will allow us to
collect denials from /proc/last_kmsg.

Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42

Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Narrow the relabelto rules to a more specific type set
for each domain.

Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain.  This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.

Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.

Add comments to note the reason for various rules.

Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.

Allow recovery to write to /system. This is needed to apply OTA
images.

Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain.  Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.

Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files.  That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed.  CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 04ee5dfb)

Change-Id: I353fbe5da80f194cf1fd35053f91499ad0336692

Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files.  That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed.  CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>