This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.

Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Add asanwrapper support for system server under sanitization.

Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc

The concept of VNDK-stable set is gone because they no longer need to be
stable across several Android releases. Instead, they are just small set
of system libraries (other than Low-Level NDK) that can be used by
same-process HALs. They need to be stable only during an Android release
as other VNDK libraries. However, since they are eligible for double
loading, we still need to distinguish those libs from other VNDK
libraries. So we give them a name vndk-sp, which means VNDK designed for
same-process HALs.

Bug: 37139956
Test: booting successful with vndk-sp libs in /vendor/lib(64)?/vndk-sp
Change-Id: I892c4514deb3c6c8006e3659bed1ad3363420732

Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.

Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.

Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a

The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

Test: manual (verified no denials in basic telephony operations)
Bug: 36613472
Change-Id: I31274adee2cb6293102446cd2d6d547c50616836

So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

(cherry picked from commit cd97e710)

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153

(cherry picked from commit cf2ffdf0)

Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I633163cf67d60677c4725b754e01097dd5790aed

As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895

*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36527360
Test: no new 'sepolicy_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19
Signed-off-by: Sandeep Patil <sspatil@google.com>

seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.

Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospServiceContexts

Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>

split property context file in vendor and sytem were left untouched by
the recent changes. This was working accidentally because they were
still accessible to all domains as 'system_file'.

Bug: 36002573
Test: Boot sailfish to observe no new denials.
Test: 'adb sideload' OTA on sailfish successfully

Change-Id: I5bec058b59db83d2a431e9f7e91c5a09af7d2942
Signed-off-by: Sandeep Patil <sspatil@google.com>

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197

Address the following denial:

    audit(0.0:644): avc: denied { write } for name="ndebugsocket" dev="dm-2" ino=654091 scontext=u:r:crash_dump:s0:c512,c768 tcontext=u:object_r:system_ndebug_socket:s0 tclass=sock_file permissive=0

Bug: http://b/36278094
Test: mm
Change-Id: I0df115a3682385cee72adbfc4687221cd7c51a4d

This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

Move hostapd to vendor/bin/ because it's only used by WIFI HAL.
This commit is for sepolicy corresponding changes.

Bug: 34236942
Bug: 34237659
Test: Hotspot works fine. Integration test.

Change-Id: I2ee165970a20f4015d5d62fc590d448e9acb92c1

perf_event_max_sample_rate is needed to be read for native profiling,
otherwise CTS test can fail on devices with kernel >= 4.4. Before this CL,
the file is not readable from untrusted_app domain. This CL makes it readable
from both shell domain and untrusted_app domain.

Bug: http://b/35554543
Test: build and test on marlin.
Change-Id: Id118e06e3c800b70a749ab112e07a4ec24bb5975

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75

Add a file context for keeping track of last reboot reason and label
directory /data/misc/reboot/ for this purpose.

(Cherry picked from commit ca051f6d)

Bug: 30994946
Test: manual: reboot ocmmand, setprop sys.powerctl, SoC thermal mgr
Change-Id: I9569420626b4029a62448b3f729ecbbeafbc3e66

On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.

See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103

The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.

The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.

Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .

This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.

Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e

Bug: 30989383
Bug: 34731101
Test: manual
Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb

Test: adb shell incident
Bug: 31122534
Change-Id: I4ac9c9ab86867f09b63550707673149fe60f1906