Also add attribute for a potential unused
function argument when dealing with darwin
SDK builds.

Change-Id: Iefdbecb050cc5fff6036f15413566e10cefa3813

Temporarily revert -Wall -Werror on checkseapp.
This is causing a compiler error on darwin SDK builds.

cc1: warnings being treated as errors
external/sepolicy/tools/check_seapp.c: In function 'rule_map_free':
external/sepolicy/tools/check_seapp.c:439: warning: unused parameter 's'
make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkseapp_intermediates/check_seapp.o] Error 1

Change-Id: I9776777a751f16d5ca0d90e731482c31dac813f9

And also remove the unnecessary references to libselinux for
sepolicy-check, as it has no dependencies on libselinux.
Also enable -Wall -Werror on building all of these tools and
fix up all such errors.

Usage:
$ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy
or
$ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy

The first form will display all type pairs that are "equivalent", i.e.
they are identical with respect to allow rules, including indirect allow
rules via attributes and default-enabled conditional rules (i.e. default
boolean values yield a true conditional expression).

Equivalent types are candidates for being coalesced into a single type.
However, there may be legitimate reasons for them to remain separate,
for example:
- the types may differ in a respect not included in the current
analysis, such as default-disabled conditional rules, audit-related
rules (auditallow or dontaudit), default type transitions, or
constraints (e.g. mls), or
- the current policy may be overly permissive with respect to one or the
other of the types and thus the correct action may be to tighten access
to one or the other rather than coalescing them together, or
- the domains that would in fact have different accesses to the types
may not yet be defined or may be unconfined in the policy you are
analyzing (e.g. in AOSP policy).

The second form will display type pairs that differ and the first
difference found between the two types.  This output can be long.

We have plans to explore further enhancements to this tool, including
support for identifying isomorphic types.  That will be required to
identify similar domains since all domains differ in at least their
entrypoint type and in their tmpfs type and thus will never show up as
equivalent even if they are in all other respects identical to each other.

Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*.  bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former.  This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).

Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I410ba7dc105322135463fa6f76cac75d6b65e38a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Every device has a CPU. This is not device specific.

Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.

Allow ueventd to write to these files. This addresses
the following denials seen on mako:

<5>[    4.935602] type=1400 audit(1383167737.512:4): avc:  denied  { read } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935785] type=1400 audit(1383167737.512:5): avc:  denied  { open } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935937] type=1400 audit(1383167737.512:6): avc:  denied  { search } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.936120] type=1400 audit(1383167737.512:7): avc:  denied  { write } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[    4.936303] type=1400 audit(1383167737.512:8): avc:  denied  { open } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936

Often times OEMs and other integrators will need to create PEM
files from presigned APKs they are integrating. This patch will
update the README to include a technique for doing so.

Change-Id: Ica52269542409d2038cfe30cbd5f28ead2fba4de

Some bluetooth implementations write to bluetooth.* properties.
It seems reasonable to allow this for all bluetooth implementations.

This addresses the following denial (seen on mako):

<4>[  132.182755] avc:  denied  { set } for property=bluetooth.hciattach scontext=u:r:bluetooth:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=property_service

Change-Id: I6d92c0ff108838dd1107c5fb3c436699ef824814

Change-Id: Ib29d63b9bff0d3b1b2c152c4e4d82e21360aacc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ia92165478764b062e7e33e7741742f5ec8762ad9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Since Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
the insert_keys.py tool has had support for expanding
environment variable strings. This change addresses the lack
of an updated README covering said change.

Change-Id: I88e81ea58fb84110da3fc3cfb8b49fd0d6c027c2

In 9af6f1bd, the -d option
was dropped from insertkeys.py. This was done to allow an
Android distribution to replace the default version of
keys.conf distributed in external/sepolicy/keys.conf. keys.conf
was modified to reference the publicly known test keys in
build/target/product/security.

Unfortunately, this broke Google's build of Android. Instead
of incorporating our keys directory, we were using the
default AOSP keys. As a result, apps were getting assigned
to the wrong SELinux domain. (see "Steps to reproduce" below)

This change continues to allow others to replace keys.conf,
but makes DEFAULT_SYSTEM_DEV_CERTIFICATE available as an
environment variable in case the customized version wants to
make reference to it. This change also modifies the stock
version of keys.conf to use DEFAULT_SYSTEM_DEV_CERTIFICATE,
which should be appropriate for most Android distributions.
It doesn't make any sense to force each OEM to have a copy of
this file.

Steps to reproduce.

1) Compile and boot Android.
2) Run the following command: "adb shell ps -Z | grep process.media"

Expected:

  $ adb shell ps -Z | grep process.media
  u:r:media_app:s0               u0_a5     1332  202   android.process.media

Actual:

  $ adb shell ps -Z | grep process.media
  u:r:untrusted_app:s0           u0_a5     3617  187   android.process.media

Bug: 11327304
Change-Id: Ica24fb25c5f9c0e2f4d181718c757cf372467822

Change-Id: Ieda312d5607dd17af0bb70045fbaba8ddec38c94

Confine the mediaserver domain, restoring our rules for it,
but leave it permissive until sufficient testing has been
performed.

Change-Id: I3d10ee16f5125b11295bc40ff6f2e14080b4bd00
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise the following denials occur on mako:

<5>[    2.494246] type=1400 audit(1382544550.200:4): avc:  denied  { associate } for  pid=1 comm="init" name="time_in_state" dev="sysfs" ino=17444 scontext=u:object_r:sy
sfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.494735] type=1400 audit(1382544550.200:5): avc:  denied  { associate } for  pid=1 comm="init" name="total_trans" dev="sysfs" ino=17443 scontext=u:object_r:sysf
s_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495162] type=1400 audit(1382544550.200:6): avc:  denied  { associate } for  pid=1 comm="init" name="stats" dev="sysfs" ino=17442 scontext=u:object_r:sysfs_devi
ces_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495620] type=1400 audit(1382544550.200:7): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_governor" dev="sysfs" ino=17435 scontext=u:object_r
:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496047] type=1400 audit(1382544550.200:8): avc:  denied  { associate } for  pid=1 comm="init" name="cpuinfo_transition_latency" dev="sysfs" ino=17429 scontext=
u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496505] type=1400 audit(1382544550.200:9): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_available_frequencies" dev="sysfs" ino=17439 sconte
xt=u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496963] type=1400 audit(1382544550.200:10): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_driver" dev="sysfs" ino=17436 scontext=u:object_r:
sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem

Change-Id: I584a1cf61cb871a38be4d3b308cef03e64cfda8e

As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.

Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove unconfined_domain() from the bluetooth app domain,
restore the rules from our policy, and move the neverallow
rule for bluetooth capabilities to bluetooth.te.
Make the bluetooth domain permissive again until it has
received sufficient testing.

Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

Change-Id: If4839218b200a0d90bdf7779d2e039719fae85a5

Modify check_seapp.c to verify that a packagname (name)
must be specified with a signing key (seinfo). This will
help thwart spoof attacks on the packagename.

Change-Id: I8f1aa8a479cb5beb5c3522d85e3181604931ea72

check_seapp at one point in time switch from a home implementation
of a hash table to using GLIBC search.h routines. A struct in one
of the fields was never removed during this transition.

Change-Id: I65c028103ffe90fa52e0b3c9fce28124ed9c7ff9

insertkeys.py used beginswith() when checking that the BEGIN
and END CERTIFICATE clauses in PEM files were correct. It should
have done an explicit check on equality.

Change-Id: I5efb48d180bc674e6281a26a955acd248588b8bd

Many keys end with whitespace or otherwise have whitespace separating the
certificates.  If insertkeys is intended to support multiple certificates, we
should also support blank line separators.

Change-Id: I5fd17be5785ad1b89a6191e9ba33bbc7c5a4e8e9

Apps may need to access the USB Accessory interface, which
involves reads / writes / etc to /dev/usb_accessory
and /dev/bus/usb/*

See http://developer.android.com/guide/topics/connectivity/usb/accessory.html
for more information.

This addresses the following denials:

[   80.075727] type=1400 audit(1379351306.384:9): avc:  denied  { read write } for  pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[   86.204387] type=1400 audit(1379304688.579:10): avc:  denied  { getattr } for  pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[ 2773.581032] type=1400 audit(1379307375.959:22): avc:  denied  { read write } for  pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.590843] type=1400 audit(1379307375.969:23): avc:  denied  { getattr } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.591111] type=1400 audit(1379307375.969:24): avc:  denied  { ioctl } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file

Bug: 10780497
Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb

Insert keys would erroneously process pem files
with openssl headers in them. Also, the tool would
be fooled into attempting to use pem files that
had private keys and other things in the format.
This patch strengthens the formatting requirements
and increases the verboseness of error messages
when processing pem files.

Change-Id: I03353faaa641233a000d1a18943024ae47c63e0f

* Keep ueventd in permissive
* Drop unconfined macro to collect logs
* Restore allow rules to current NSA maintained policy

Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b

Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1