The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In order to prevent Zygote descriptors from leaking into the child
environment, they should be closed by the forked-off child process
before the child switches to the application UID.  These changes close
the descriptors via dup2(), substituting a descriptor open to
/dev/null in their place; this allows the Zygote Java code to close
the FileDescriptor objects cleanly.

This is a multi-project change: dalvik, art, libcore, frameworks/base,
and external/sepolicy are affected.  The CLs need to be approved
together, lest the build break or the software fail to boot.

Bug: 12114500
Change-Id: Ie45ddf6d661a1ea8570cd49dfea76421f2cadf72

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8

Rather, enforce that a relabel should be done. This
tightens an existing assertion.

Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904

When setting a static wallpaper on multiple devices the
following denials were encountered.
   avc:  denied  { getattr } for  pid=1775 comm="llpaper_chooser" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:shared_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file
   avc:  denied  { getattr } for  pid=799 comm="ndroid.systemui" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:platform_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file
   avc:  denied  { getattr } for  pid=1909 comm=4173796E635461736B202332 path="/data/system/users/0/wallpaper" dev="mmcblk0p28" ino=586422 scontext=u:r:release_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

platform_app access is from the SystemUI app whereas the other
denials are from the Launcher that is used on the particular
device. For instance, Launcher2 triggers the shared_app denial
whereas release_app (used by Launcher3) triggers the other denial.
Because of this, add the rule to all appdomains.

The static wallpaper is still set without this change. Just add
the rule to avoid the noise in the logs.

Change-Id: Ida84d1695d52379d67b87318403f629fd07109a4
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3

Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is required for the grouper sepolicy, where we must allow
bluetooth domain to write to the base sysfs type due to a kernel bug.

Change-Id: I14b0530387edce1097387223f0def9b59e4292e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ping in Android no longer requires any additional privileges beyond
the caller.  Drop the ping domain and executable file type entirely.

Also add net_domain() to shell domain so that it can create and
use network sockets.

Change-Id: If51734abe572aecf8f510f1a55782159222e5a67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC.  We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc:  denied  { execute } for  pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denials:

<5>[  170.166218] type=1400 audit(1386789488.029:57): avc:  denied  { getattr } for  pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166356] type=1400 audit(1386789488.029:58): avc:  denied  { execute } for  pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166841] type=1400 audit(1386789488.029:59): avc:  denied  { read open } for  pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166962] type=1400 audit(1386789488.029:60): avc:  denied  { execute_no_trans } for  pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file

Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.

  STEPS TO REPRODUCE:
  1. Launch Chrome
  2. From menu tap print and observe
        OR
  1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
  2. Select print

Addresses the following denials:

<5>[  122.352797] type=1400 audit(1386363998.374:18): avc:  denied  { write } for  pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248363] type=1400 audit(1386363999.264:19): avc:  denied  { getattr } for  pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248620] type=1400 audit(1386363999.264:20): avc:  denied  { write } for  pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file

Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c

Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4

Change-Id: Ieda312d5607dd17af0bb70045fbaba8ddec38c94

Remove unconfined_domain() from the bluetooth app domain,
restore the rules from our policy, and move the neverallow
rule for bluetooth capabilities to bluetooth.te.
Make the bluetooth domain permissive again until it has
received sufficient testing.

Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Apps may need to access the USB Accessory interface, which
involves reads / writes / etc to /dev/usb_accessory
and /dev/bus/usb/*

See http://developer.android.com/guide/topics/connectivity/usb/accessory.html
for more information.

This addresses the following denials:

[   80.075727] type=1400 audit(1379351306.384:9): avc:  denied  { read write } for  pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[   86.204387] type=1400 audit(1379304688.579:10): avc:  denied  { getattr } for  pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file
[ 2773.581032] type=1400 audit(1379307375.959:22): avc:  denied  { read write } for  pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.590843] type=1400 audit(1379307375.969:23): avc:  denied  { getattr } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file
[ 2773.591111] type=1400 audit(1379307375.969:24): avc:  denied  { ioctl } for  pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file

Bug: 10780497
Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb

Shell domain can transition to other domains for runas, ping, etc.

Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change synchronizes the AOSP set of neverallow rules for
app domains with our own.  However, as we exclude unconfineddomain
from each neverallow rule, it causes no breakage in the AOSP policy.
As app domains are confined, you will need to either adjust the
app domain or the neverallow rule according to your preference.
But our policy builds with all of these applied with all app domains
confined.

Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The comment says that apps can read downloaded files, but the
file_type_auto_trans() macro expands to permit create/write access.
Also we don't need a type transition when staying in the same type
as the parent directory so we only truly need allow rules here.
Hence, we remove file_type_auto_trans() altogether, and add an allow
rule for search access to the directory.  If create/write access is
truly required, then we can just change the allow rules to use
rw_dir_perms and create_file_perms.

Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fixes the following denial:

<5>[28362.335293] type=1400 audit(1378991198.292:24): avc:  denied  { execute } for  pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74