Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4

Long live /system/bin/sh!

Change-Id: I5af63c1bdc3585835ee273ed9995d8fac14792da

Remove unconfined_domain() and add the allow rules required for
operation of healthd.  Restore the permissive declaration until
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4
kernel.

Resolves the following denials in 4.4:
type=1400 audit(1383590167.750:14): avc:  denied  { read } for  pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file
type=1400 audit(1383590167.750:15): avc:  denied  { mknod } for  pid=49 comm="healthd" capability=27  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:16): avc:  denied  { create } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc:  denied  { setopt } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc:  denied  { net_admin } for  pid=49 comm="healthd" capability=12  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:18): avc:  denied  { bind } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
shell@generic:/ $ type=1400 audit(1383590168.800:21): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:22): avc:  denied  { transfer } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:23): avc:  denied  { 0x10 } for  pid=49 comm="healthd" capability=36  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2
type=1400 audit(1383590168.800:24): avc:  denied  { read } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590212.320:161): avc:  denied  { call } for  pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:161): avc:  denied  { transfer } for  pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:162): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
type=1400 audit(1383590275.930:463): avc:  denied  { call } for  pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I7ef479ac1806b0a52bb0145a82d6d4265edc1f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Bug: 11518274

Change-Id:  Ib8c96ab9e19d34e8e34a4c859528345763be4906
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id:  I1bdd80f641db05fef4714654515c1e1fbb259794
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is causing runtime restarts on flo/deb when uninstalling
some APKs. Revert while I investigate it.

11-04 21:52:41.487   687   704 I ActivityManager: Force stopping com.android.development appid=10078 user=-1: uninstall pkg
11-04 21:52:41.487   687   712 W PackageManager: Couldn't delete native library directory /data/app-lib/com.android.development
11-04 21:52:41.557   687   712 W dalvikvm: threadid=20: thread exiting with uncaught exception (group=0x959dfae8)
11-04 21:52:41.557   687   712 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: PackageManager
11-04 21:52:41.557   687   712 E AndroidRuntime: java.lang.NullPointerException
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.security.KeyStore.clearUid(KeyStore.java:327)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.removeKeystoreDataIfNeeded(PackageManagerService.java:9787)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.removePackageDataLI(PackageManagerService.java:9384)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deleteInstalledPackageLI(PackageManagerService.java:9503)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deletePackageLI(PackageManagerService.java:9612)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deletePackageX(PackageManagerService.java:9239)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.access$4100(PackageManagerService.java:178)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService$7.run(PackageManagerService.java:9173)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Handler.handleCallback(Handler.java:733)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:95)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:136)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.HandlerThread.run(HandlerThread.java:61)
11-04 21:52:41.567   687   712 I Process : Sending signal. PID: 687 SIG: 9

and

[    7.324554] type=1400 audit(1383601030.823:5): avc:  denied  { read write } for  pid=192 comm="keystore" name="qseecom" dev="tmpfs" ino=7521 scontext=u:r:keystore:s0 tcontext=u:object_r:device:s0 tclass=chr_file

This reverts commit 709d7183.

Bug: 11518274

Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.

Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f

Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).

Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631

Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6

Also add attribute for a potential unused
function argument when dealing with darwin
SDK builds.

Change-Id: Iefdbecb050cc5fff6036f15413566e10cefa3813

Temporarily revert -Wall -Werror on checkseapp.
This is causing a compiler error on darwin SDK builds.

cc1: warnings being treated as errors
external/sepolicy/tools/check_seapp.c: In function 'rule_map_free':
external/sepolicy/tools/check_seapp.c:439: warning: unused parameter 's'
make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkseapp_intermediates/check_seapp.o] Error 1

Change-Id: I9776777a751f16d5ca0d90e731482c31dac813f9

And also remove the unnecessary references to libselinux for
sepolicy-check, as it has no dependencies on libselinux.
Also enable -Wall -Werror on building all of these tools and
fix up all such errors.

Usage:
$ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy
or
$ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy

The first form will display all type pairs that are "equivalent", i.e.
they are identical with respect to allow rules, including indirect allow
rules via attributes and default-enabled conditional rules (i.e. default
boolean values yield a true conditional expression).

Equivalent types are candidates for being coalesced into a single type.
However, there may be legitimate reasons for them to remain separate,
for example:
- the types may differ in a respect not included in the current
analysis, such as default-disabled conditional rules, audit-related
rules (auditallow or dontaudit), default type transitions, or
constraints (e.g. mls), or
- the current policy may be overly permissive with respect to one or the
other of the types and thus the correct action may be to tighten access
to one or the other rather than coalescing them together, or
- the domains that would in fact have different accesses to the types
may not yet be defined or may be unconfined in the policy you are
analyzing (e.g. in AOSP policy).

The second form will display type pairs that differ and the first
difference found between the two types.  This output can be long.

We have plans to explore further enhancements to this tool, including
support for identifying isomorphic types.  That will be required to
identify similar domains since all domains differ in at least their
entrypoint type and in their tmpfs type and thus will never show up as
equivalent even if they are in all other respects identical to each other.

Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I8f4964fb31e91d9f384ef05df5acdcdd45dec08b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*.  bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former.  This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).

Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I410ba7dc105322135463fa6f76cac75d6b65e38a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Every device has a CPU. This is not device specific.

Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.

Allow ueventd to write to these files. This addresses
the following denials seen on mako:

<5>[    4.935602] type=1400 audit(1383167737.512:4): avc:  denied  { read } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935785] type=1400 audit(1383167737.512:5): avc:  denied  { open } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935937] type=1400 audit(1383167737.512:6): avc:  denied  { search } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.936120] type=1400 audit(1383167737.512:7): avc:  denied  { write } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[    4.936303] type=1400 audit(1383167737.512:8): avc:  denied  { open } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936

Often times OEMs and other integrators will need to create PEM
files from presigned APKs they are integrating. This patch will
update the README to include a technique for doing so.

Change-Id: Ica52269542409d2038cfe30cbd5f28ead2fba4de

Change-Id: Id6d89e7d87642fba22445484034e39f94bb90f5b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Some bluetooth implementations write to bluetooth.* properties.
It seems reasonable to allow this for all bluetooth implementations.

This addresses the following denial (seen on mako):

<4>[  132.182755] avc:  denied  { set } for property=bluetooth.hciattach scontext=u:r:bluetooth:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=property_service

Change-Id: I6d92c0ff108838dd1107c5fb3c436699ef824814

Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ib29d63b9bff0d3b1b2c152c4e4d82e21360aacc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ia92165478764b062e7e33e7741742f5ec8762ad9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I4b6cacf70805065ad6fd9678417283c25a53b51b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>