This reverts commit 5bf94caf.

Remove this temporary workaround.

Bug: 63147833
Test: Build policy

Ueventd needs write access to all files in /sys to generate uevents.

Bug: 63147833
Test: build. Verify no ueventd denials in the logs.
Change-Id: I89d33aab158dd192e761f14eff8afa1c71594bca

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

This handles any relabeling of vendor_file to a more specific type in
the case of device bringups or future changes to private/file_context
since ueventd will still need read access to all vendor_file's.

Test: Ueventd has read access to any vendor_file_type
Change-Id: I922af54c76d1ef46ea6536e6dc945b37bcc2126a

The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

There are many character files that are unreachable to all processes
under selinux policies. Ueventd and init were the only two domains that
had access to these generic character files, but auditing proved there
was no use for that access. In light of this, access is being completely
revoked so that the device nodes can be removed, and a neverallow is
being audited to prevent future regressions.

Test: The device boots
Bug: 33347297
Change-Id: If050693e5e5a65533f3d909382e40f9c6b85f61c

It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb

Broke the dragon build:

libsepol.report_failure: neverallow on line 304 of system/sepolicy/public/domain.te (or line 8638 of policy.conf) violated by allow kernel device:chr_file { create setattr };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy

This reverts commit ed0b4eb3.

Change-Id: I5d55ab59ed72ce7c19a10ddbb374f9f3b3fae4fd

By default, files created in /dev are labeled with the "device" label
unless a different label has been assigned. The direct use of this
generic label is discouraged (and in many cases neverallowed) because
rules involving this label tend to be overly broad and permissive.

Today, generically labeled character devices can only be opened, read,
or written to by init and ueventd.

  $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy
  allow init device:chr_file { setattr read lock getattr write ioctl open append };
  allow ueventd device:chr_file { read lock getattr write ioctl open append };

this is enforced by the following SELinux neverallow rule (compile time
assertion + CTS test):

  neverallow { domain -init -ueventd } device:chr_file { open read write };

Start auditallowing ueventd access to /dev character device files with the
default SELinux label. This doesn't appear to be used, but let's prove it.
While ueventd is expected to create files in /dev, it has no need to open
most of the files it creates.

Note, however, that because ueventd has mknod + setfscreate permissions,
a malicious or compromised ueventd can always create a device node under
an incorrect label, and gain access that way.

The goal of this change is to prove that no process other than init are
accessing generically labeled files in /dev.

While I'm here, tighten up the compile time assertion for
device:chr_file to include more permissions.

Test: policy compiles + device boots with no granted messages.
Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0

Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

Fix file diffs.

Change-Id: Iac673c718b49779bba380e75ddd083caf6a2a1c3

This reverts commit 9c820a11.

Bug: 31364540
Change-Id: I98a34bd32dd835e6795d31a90f16f4ccd691e6e5

This reverts commit c71c6622.

Bug: 31364540
Change-Id: I3f4f132d4769e3cbc9d03ff908104a69f05bd2ef

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

Bug: http://b/30317429
Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee
Test: adb shell dmesg | grep ueventd

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849

Grant permissions observed.

Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

The commit: d41ad551
fixes a race in coldboot. However, introduced a seperate
bug where existing character files were being relabeled.

The fix was to have ueventd ensure their was a delta between
the old and new labels and only then call lsetfilecon(). To
do this we call lgetfilecon() which calls lgetxattr(), this
requires getattr permissions.

This patch is void of any relabelfrom/to for ueventd on chr_file
as those can be added as they occur.

Bug: 29106809

Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef
Signed-off-by: William Roberts <william.c.roberts@intel.com>

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Signed-off-by: Mihai Serban <mihai.serban@intel.com>

(cherry picked from commit d41ad551)

Change-Id: I26838a3a9bc19b341e7176e5dc614827232014bf

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Change-Id: Ic836309527a2b81accc50df38bd753d54fa5e318
Signed-off-by: Mihai Serban <mihai.serban@intel.com>

When using domain_trans(init, foo_exec, foo), don't add the
following rule:

  allow foo init:process sigchld;

This is already allowed for all domains in domain.te:

  # Allow reaping by init.
  allow domain init:process sigchld;

So adding it over and over again is redundant and bloats the
policy. More specifically, when I run:

  sepolicy-analyze out/target/product/bullhead/root/sepolicy dups

this change reduces the number of duplicate policy statements
from 461 to 389.

Change-Id: I8632e5649a54f63eb1f79ea6405c4b3f515f544c

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8af)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32

Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.

This reverts commit 47cd53a5.

Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da

On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.

Needed by changes from
  Ibb82953594d234f81ad21c40f524190b88e4ac8f

Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d

ueventd is allowed to change files and directories in /sys,
but not symbolic links. This is, at a minimum, causing the
following denial:

type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file

Allow ueventd to modify labeling / attributes of symlinks.

Change-Id: If641a218e07ef479d1283f3171b2743f3956386d

Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.

Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac