Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Required by the installation flow for split APKs.

bug: 20889739

Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1

In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.

While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.

Bug: 19197175
Change-Id: I819f6a54c0a232826016823f2fde3adf7be31f9d

(cherry pick from commit 0d22c6ce)

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5

(cherry-picked from change f7163597)

This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa

(chery-picked from commit 13dec5fa)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5

SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

(cherry-pick of commit: bf0c34d5)

Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8

System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0

All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.

(cherry-pick of commit: a0c9d207)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I2e17e522a78120c3658d81035e202aab861a3b22

Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0

Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6

/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

(cherry-pick of 1b4b3b91)

Change-Id: Iea6e1271fb054ea7f44860724e04143875867d78

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef

- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10

As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.

Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider.  The actual
access control is still managed by POSIX permissions on that
directory.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511

Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f

Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

(cherry-picked from commit cbc8f796)

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3

user_changed will be used for state change methods around android user
creation/deletion.

(cherry-picked from commit 520bb816)

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b

Allow tty ioctls TIOCOUTQ 0x5411 and FIOCLEX 0x5451.

Allow/audit all wireless extension ioctls.

Bug: 21120188
Change-Id: Icd447ee40351c615c236f041931d210751e0f0c3

Bug: http://b/19483574
Change-Id: Id39a5aaf531d2a75a22647bdafb34a6ef18201c8
(cherry picked from commit 728fe3d4)

Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f

Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory

Also indicate that none of the sepolicy tools need c++ std lib.

(cherry-pick of 28acbeab)

Bug: 19566396
Change-Id: Ieb380d05ae896a8146b80f94fe3b3211178705bb

Programs routinely scan through /system, looking at the files there.
Don't generate an SELinux denial when it happens.

Bug: 21120228
Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603

Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868

Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.

Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.

Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.

(cherrypicked from commit 2025fd14)

Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Bug: 19483574
(cherry picked from commit 7d66f783)

Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48

Bug: http://b/19483574

(cherry picked from commit 0fdd364e)

Change-Id: If29946a5d7f92522f3bbb807cea5f9f1b42a6513

Addresses the following denials:

  avc:  denied  { write } for  pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
  avc:  denied  { write } for  pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
  avc:  denied  { sys_boot } for  pid=1 comm="init" capability=22  scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0

(cherrypicked from commit e550e79c)

Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49

MAC address access is no longer allowed via the java API. Deny access
from native code.

Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf