Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.

Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

It's a bug to have a type with both the file_type and fs_type
attribute. A type should be declared with either file_type,
or fs_type, but not both.

Create a neverallow rule which detects this situation. This works
because we have the following allow rule:

  allow fs_type self:filesystem associate;

If a type is a file_type and an fs_type, the associate allow rule
will conflict with this neverallow rule.

Not sure if this is the cleanest way to accomplish this, but it
seems to work.

Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa

Right now usbfs doesn't have any labels, generating the
following kernel warnings:

<7>[    3.009582] SELinux: initialized (dev usbfs, type usbfs), not configured for labeling

and the occasional SELinux unlabeled auditallow logs:

<4>[  285.579254] type=1400 audit(1402010345.094:16): avc: granted { search } for pid=371 comm="qcks" name="/" dev="usbfs" ino=15794 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  285.632354] type=1400 audit(1402010345.154:18): avc: granted { search } for pid=371 comm="qcks" name="001" dev="usbfs" ino=15796 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

Make sure usbfs is assigned via genfscon

Change-Id: I7191f2584014ba55a3c3a98e7efd0350dc958782

/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e

(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

installd creates /data/.layout_version.  Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes.  This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.

Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As per the discussion in:
https://android-review.googlesource.com/#/c/92903/



Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.

Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Bug: 13340779
Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2

pstore(persistent store) have been applied since kernel 3.5
We need to label the pstore-fs in order to use Android with kernel 3.5 or upper version.
My kernel version is 3.10 and I got the below denial log when I ran the "df" command on the adb shell.

type=1400 msg=audit(1388540540.220:18): avc: denied { getattr } for pid=7296 comm="df" name="/" dev="pstore" ino=7703 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

And the below log is also shown during booting

type=1400 msg=audit(1388539193.750:4): avc: denied { mount } for pid=2844 comm="mount" name="/" dev="pstore" ino=11393 scontext=u:r:init_shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

Change-Id: Iaba543d44565c4f20a77a95b9573a628bbd3fd34

I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles
subdirectory to /data/dalvik-cache with files that must be
app-writable.  As a result, we have denials such as:
W/Profiler( 3328): type=1400 audit(0.0:199): avc:  denied  { write } for  name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null)
W/auditd  (  286): type=1307 audit(0.0:199):  cwd="/"
W/auditd  (  286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0

We do not want to allow untrusted app domains to write to the
existing type on other /data/dalvik-cache files as that could be used
for code injection into another app domain, the zygote or the system_server.
So define a new type for this subdirectory.  The restorecon_recursive /data
in init.rc will fix the labeling on devices that already have a profiles
directory created.  For correct labeling on first creation, we also need
a separate change to installd under the same change id.

Bug: 13927667
Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/



Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* Allow writes to /proc/PID/oom_score_adj
* Allow writes to /sys/module/lowmemorykiller/*

Addresses the following denials:
<5>[    3.825371] type=1400 audit(9781555.430:5): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[   48.874747] type=1400 audit(9781600.639:16): avc:  denied  { search } for  pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[   48.874889] type=1400 audit(9781600.639:17): avc:  denied  { dac_override } for  pid=176 comm="lmkd" capability=1  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability
<5>[   48.874982] type=1400 audit(9781600.639:18): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   48.875075] type=1400 audit(9781600.639:19): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   49.409231] type=1400 audit(9781601.169:20): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  209.081990] type=1400 audit(9781760.839:24): avc:  denied  { search } for  pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir
<5>[  209.082240] type=1400 audit(9781760.839:25): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.082498] type=1400 audit(9781760.839:26): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.119673] type=1400 audit(9781760.879:27): avc:  denied  { search } for  pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir
<5>[  209.119937] type=1400 audit(9781760.879:28): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.120105] type=1400 audit(9781760.879:29): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.235597] type=1400 audit(9781760.999:30): avc:  denied  { search } for  pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  209.235798] type=1400 audit(9781760.999:31): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  209.236006] type=1400 audit(9781760.999:32): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.297283] type=1400 audit(9781766.059:64): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.297415] type=1400 audit(9781766.059:65): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.355060] type=1400 audit(9781766.119:66): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.355236] type=1400 audit(9781766.119:67): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.516920] type=1400 audit(9781766.279:68): avc:  denied  { search } for  pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir
<5>[  214.678861] type=1400 audit(9781766.439:69): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.678992] type=1400 audit(9781766.439:70): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.708284] type=1400 audit(9781766.469:71): avc:  denied  { search } for  pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  214.708435] type=1400 audit(9781766.469:72): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.708648] type=1400 audit(9781766.469:73): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file

Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8

This was originally used for the /data/fdAlbum
file. Device specific policy properly labels the
file as camera_data_file either during its
initial creation (type_transition rule) or with
a single restorecon call in the respective init.*.rc
file.

Change-Id: Ie953dcf4c40883db09cfb4ffec2a42e8ccd6344c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.

We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system.  We should not have to allow it to untrusted_app.

Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.

Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

And allow any SELinux domain to read these timezone
related files.

Addresses the following denial:
<5>[    4.746399] type=1400 audit(3430294.470:7): avc:  denied  { open } for  pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86

Alphabetize the entries for the /data/misc subdirectories.

Change-Id: I3690085cbb99c225545545668dedd66341a14edb

lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd.  ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10

Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Use more general type names for the contents of /data/misc/camera and
/data/misc/audio.  These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy.  So we may as well switch
AOSP to these names.

Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.

Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones.  Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.

Option #2 is implemented by this change.

Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we get denials like these on 4.4:

type=1400 audit(1383590170.360:29): avc:  denied  { write } for  pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { add_name } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { create } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc:  denied  { write open } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { write } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { open } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id:  Ib8c96ab9e19d34e8e34a4c859528345763be4906
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise the following denials occur on mako:

<5>[    2.494246] type=1400 audit(1382544550.200:4): avc:  denied  { associate } for  pid=1 comm="init" name="time_in_state" dev="sysfs" ino=17444 scontext=u:object_r:sy
sfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.494735] type=1400 audit(1382544550.200:5): avc:  denied  { associate } for  pid=1 comm="init" name="total_trans" dev="sysfs" ino=17443 scontext=u:object_r:sysf
s_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495162] type=1400 audit(1382544550.200:6): avc:  denied  { associate } for  pid=1 comm="init" name="stats" dev="sysfs" ino=17442 scontext=u:object_r:sysfs_devi
ces_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495620] type=1400 audit(1382544550.200:7): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_governor" dev="sysfs" ino=17435 scontext=u:object_r
:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496047] type=1400 audit(1382544550.200:8): avc:  denied  { associate } for  pid=1 comm="init" name="cpuinfo_transition_latency" dev="sysfs" ino=17429 scontext=
u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496505] type=1400 audit(1382544550.200:9): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_available_frequencies" dev="sysfs" ino=17439 sconte
xt=u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496963] type=1400 audit(1382544550.200:10): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_driver" dev="sysfs" ino=17436 scontext=u:object_r:
sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem

Change-Id: I584a1cf61cb871a38be4d3b308cef03e64cfda8e

Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1

The /adb_keys entry will only take effect if a restorecon is
applied by init.rc on a kernel that includes the rootfs labeling
support, but does no harm otherwise.

The /data/misc/adb labeling ensures correct labeling of the adb_keys
file created if the device has ro.adb.secure=1 set.

Allow adbd to read the file.

Change-Id: I97b3d86a69681330bba549491a2fb39df6cf20ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is now possible due to the kernel change to support
setting security contexts on rootfs inodes.

Change-Id: I2a9aac1508eceabb92c3ae8eb5c63a16b28dda6f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise it gets left in the general device type, and we get denials such
as:
type=1400 msg=audit(1379617262.940:102): avc:  denied  { write } for  pid=579 comm="mDnsConnector" name="mdns" dev="tmpfs" ino=3213 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=sock_file

This of course only shows up if using a confined system_server.

Change-Id: I2456dd7aa4d72e6fd15b55c251245186eb54a80a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I9652284bd34d07bd47e2e7df66fcbe5db185ab3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>