app_process is now a symlink to app_process32 or
app_process64, so we have to update the selinux
rules to explicitly refer to them.

See change 5a7ee9ad63d for context.

Change-Id: I7f7a107d79a8f7a3c193f97809e1e737540258f1

Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device.  Drop it.

Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address denials such as:
 avc:  denied  { read } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { open } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { getattr } for  path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { read } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { open } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.

Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain.  Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.

Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We added these rules to the kernel domain when we removed them
from unconfined to ensure that we did not break anything.  But
we have seen no uses of these rules and this matches our expectation
that any actual operations that require these permissions occurs
after switching to the init domain.

Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data.  I have not been able to
trigger the auditallow rules on AOSP master.  Reduce the rules to
only read access to system data.  If we need write access to some
specific directory under /data, we should introduce a type for it.

Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address recent installd denials resulting from the recent
tightening of installd access to /data file types, including:
 avc:  denied  { unlink } for  name="._playmusicid" dev="mmcblk0p30" ino=1038393 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc:  denied  { search } for  pid=195 comm="installd" name="app-asec" dev="mmcblk0p28" ino=578225 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=dir

Change-Id: I957738139678699949da9ad09d3bddb91605f8cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.

Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd

Change-Id: If6b85fbb2332f7a03b603f2d46bd2f73c778ecf9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { read write } for  path="socket:[33571]" dev="sockfs" ino=33571 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=unix_dgram_socket

Change-Id: Icb1ee00d8513179039bfb738647f49480e836f25
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { getattr } for  path="pipe:[167684]" dev="pipefs" ino=167684 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I1120c8b130a592e40992c5233650345640a23a87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rules on data_file_type attribute and replace with rules
on specific types under /data.

Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I didn't fix unpublished denials before switching this into enforcing. Need to revert.

This reverts commit ae505511.

Bug: 14844424
Change-Id: I01408b77a67ad43a8fb20be213d3ffbace658616

Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.

This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/

At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.

Change-Id: If335a5cf619125806c700780fcf91f8602083824

- permit logd control from system_app

Bug: 14563261
Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963

Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.

Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

installd creates /data/.layout_version.  Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes.  This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.

Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I29202292a78f0d2ae3b5da235c1783298f14bed8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4b4ebda74a9ebf08f38d73521d67bf98cd0ee67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib4cbaee280628845d026e827d7e16f347594fc26
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rules on data_file_type attribute and replace with
rules on specific types, coalescing with existing rules
where appropriate.  Reorganize the rules and try to
annotate the reason for the different rules.

Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

91a4f8d4 created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.

Allow installd to create this symlink.

  repro:
  adb install AppLaunch.apk
  276 KB/s (8414 bytes in 0.029s)
         pkg: /data/local/tmp/AppLaunch.apk
  Failure [INSTALL_FAILED_INTERNAL_ERROR]

  logcat:
  05-08 23:16:36.336   605   637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
  05-08 23:16:36.338   605   637 W asset   : Installing empty resources in to table 0x5e89a368
  05-08 23:16:36.359   193   193 W installd: type=1400 audit(0.0:29): avc:  denied  { create } for  name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
  05-08 23:16:36.363   193   193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
  05-08 23:16:36.364   605   637 W PackageManager: Failed linking native library dir (user=0)
  05-08 23:16:36.364   605   637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk

Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3

Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf