Change-Id: I764086a83d89d5c94c13400cab590933727d261b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

<5>[  216.710405] type=1400 audit(1392934645.702:17): avc:  denied  { use } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fd

<5>[  216.710553] type=1400 audit(1392934645.702:18): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket

<5>[  216.710727] type=1400 audit(1392934645.702:19): avc:  denied  { read } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.710872] type=1400 audit(1392934645.702:20): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[8214]" dev="sockfs" ino=8214 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket

<5>[  216.711037] type=1400 audit(1392934645.702:21): avc:  denied  { write } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.711208] type=1400 audit(1392934645.702:22): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9370]" dev="sockfs" ino=9370 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket

<5>[  216.711334] type=1400 audit(1392934645.702:23): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9372]" dev="sockfs" ino=9372 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_nflog_socket

<5>[  216.711513] type=1400 audit(1392934645.702:24): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[11078]" dev="sockfs" ino=11078 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=udp_socket

<5>[  216.713390] type=1400 audit(1392934645.702:25): avc:  denied  { dac_override } for  pid=2273 comm="clatd" capability=1 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[  216.713528] type=1400 audit(1392934645.702:26): avc:  denied  { read write } for  pid=2273 comm="clatd" name="tun" dev="tmpfs" ino=6127 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[  314.513898] type=1400 audit(1392934743.501:42): avc:  denied  { setopt } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.514482] type=1400 audit(1392934743.501:43): avc:  denied  { getattr } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.515196] type=1400 audit(1392934743.501:44): avc:  denied  { write } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.516077] type=1400 audit(1392934743.501:45): avc:  denied  { connect } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[ 22.257024] type=1400 audit(1393016186.443:12): avc: denied { open } for pid=1934 comm="clatd" name="tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.257274] type=1400 audit(1393016186.443:13): avc: denied { net_admin } for pid=1934 comm="clatd" capability=12 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257445] type=1400 audit(1393016186.443:14): avc: denied { write } for pid=1934 comm="clatd" name="forwarding" dev="proc" ino=10684 scontext=u:r:clatd:s0 tcontext=u:object_r:proc_net:s0 tclass=file

<5>[ 22.257618] type=1400 audit(1393016186.443:15): avc: denied { setgid } for pid=1934 comm="clatd" capability=6 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257753] type=1400 audit(1393016186.443:16): avc: denied { setuid } for pid=1934 comm="clatd" capability=7 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.385005] type=1400 audit(1393016186.573:17): avc: denied { ioctl } for pid=1934 comm="clatd" path="/dev/tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.385269] type=1400 audit(1393016186.573:18): avc: denied { create } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=tun_socket

<5>[ 22.388955] type=1400 audit(1393016186.573:19): avc: denied { nlmsg_write } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

Change-Id: Ic760597df1aa4b33b3cb6e9a504dbcbd6f5d0116
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  clatd does exist in AOSP
and is built by default, and is started via netd.

Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046