Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I2aef01ba72cae028d5e05deddbdeff674f9a534d

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

To reduce the likelihood of malicious symlink attacks, neverallow
read access to shell- and app-writable symlinks.

Change-Id: I0dea1e6e4f0ce34531100696d230294e1b8a5500
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Prohibit all but a specific set of whitelisted domains
from writing to /data/dalvik-cache.  This is to prevent
code injection into apps, zygote, or system_server.

Inspired by:
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/


which depended on system UID apps having write access to
/data/dalvik-cache (not allowed in AOSP policy but evidently
in those device policies).  Prevent this from recurring.

Change-Id: I282c7bf998421d794883e432b091ad1dcf9da67e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Change-Id: Ib1a5611e356d7a66c2e008232c565035e3fc4956
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Only a few system level components should be creating and writing
these files, force a type transition for shared files.

Change-Id: Ieb8aa8a36859c9873ac8063bc5999e9468ca7533
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64

Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.

Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.

Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5

This reverts commit 5287d9a8.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a

This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1

This reverts commit c450759e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387

shamu isn't booting.

This reverts commit 46e832f5.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca

Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448

Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system

Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b

Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209

Android has long enforced that code can't compile with text
relocations present. Add a compile time assertion to prevent
regressions.

Change-Id: Iab35267ce640c1fad9dc82b90d22e70e861321b7

/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.

Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7

Executing /system/xbin/su is only supported on userdebug builds
for a limited number of domains. On user builds, it should never
occur.

Add a compile time assertion (neverallow rule) that this is
always true.

Bug: 19647373
Change-Id: I231a438948ea2d47c1951207e117e0fb2728c532

Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f

Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

The recovery partition has been assigned a recovery_block_device
type for the AOSP devices, so install_recovery should not need
rw access to the generic block_device type.  Remove it.

Change-Id: I31621a8157998102859a6e9eb76d405caf6d5f0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add a compile time assertion that no SELinux rule exists which
allows mounting on top of symbolic links, fifo files, or socket
files. Remove the capability from unconfined domains.

Change-Id: I6d7cc95cd17e2e5f165fa5948563800ed206bb71

Android doesn't want to support System V IPC classes.
Ensure that it isn't supported by adding a neverallow rule
(compile time assertion).

Change-Id: I278d45960ee557917584f9137323b4cabfe140a9

The shell domain is already allowed to list and find all service_manager
objects, so extra auditing is pointless.

Bug: 18106000
Change-Id: I8dbf674fa7ea7b05e48e5bbc352b0c9593f2b627

Change-Id: If311f53b9e5a1020f188ae2346dbf6466e6129ac

Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd

external/sepolicy commit 99940d1a
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

Resubmission of commit: 76f3fe33

Removed conflicting rule from unconfined domain.

Change-Id: I3e6da8922ebf636f1cd8ceefea4291d043a28ab7

Fix build due to goldfish neverallow conflicts.

This reverts commit 76f3fe33.

Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

(cherrypick, with modifications, from 0055ea90)

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e