Let's see if it's safe to get rid of them.

Bug: 25768265
Bug: 25767747
Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96

Addresses the following denial:

  avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Bug: 25801240
Change-Id: I043f48f410505acaee4bb97446945316f656a210

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

979adffd added an auditallow
to see if system_server was relabeling system_data_file.
The auditallow rule hasn't triggered, so remove the allow rule.

a3c97a76 added an auditallow
to see if system_server was executing toolbox. The auditallow
rule hasn't triggered, so remove the allow rule. AFAIK,
system_server never executes ANY file, so further tightening here
is feasible.

Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

23cde877 removed JIT capabilities
from system_server for user and userdebug builds. Remove the capability
from eng builds to be consistent across build types.

Add a neverallow rule (compile time assertion + CTS test) to verify
this doesn't regress on our devices or partner devices.

Bug: 23468805
Bug: 24915206
Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687

(cherry picked from commit c3712143)

Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687
Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

Remove system server's permission to dynamically update SELinux
policy on the device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: I3c64d64359060561102e1587531836b69cfeef00

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

On user and userdebug builds, system_server only loads executable
content from /data/dalvik_cache and /system. JITing for system_server
is only supported on eng builds. Remove the rules for user and
userdebug builds.

Going forward, the plan of record is that system_server will never
use JIT functionality, instead using dex2oat or interpreted mode.

Inspired by https://android-review.googlesource.com/98944

Change-Id: I54515acaae4792085869b89f0d21b87c66137510

Init is now responsible for creating /data/anr, so it's
unnecessary to grant system_server and dumpstate permissions
to relabel this directory. Remove the excess permissions.

Leave system_data_file relabelfrom, since it's possible we're
still using it somewhere.

See commits:
  https://android-review.googlesource.com/161650
  https://android-review.googlesource.com/161477
  https://android-review.googlesource.com/161638

Bug: 22385254
Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049

This reverts commit 2dabf174.

Change-Id: I7e35a6ea1b8d5958c65eb04a7c9a04ba807b1181

Bug: 18068520
Bug: 21852542
Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff

To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: William Roberts <william.c.roberts@intel.com>

System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
(cherry picked from commit 70c6dbf0)
Change-Id: I4ddc523c2a0f4218877dae8f8a9b7fcf3f786625

This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79.

bug: 20889739
Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a

Required by the installation flow for split APKs.

bug: 20889739

Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1

System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0

Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0

Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef

Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f

Grant access to system_server, as it is used by AlarmManagerService.

Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015

Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

(cherry-picked from commit cbc8f796)

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3

user_changed will be used for state change methods around android user
creation/deletion.

(cherry-picked from commit 520bb816)

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b

Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3

Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868

user_changed will be used for state change methods around android user
creation/deletion.

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c

Commit 85ce2c70 removed hard link
support from create_file_perms, but system_server requires hard
link support for split APKs. Allow it.

Addresses the following denial:

  audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Steps to reproduce:
1) Find the directory "hellogoogle3.splitapk"
2) adb install-multiple -r hellogoogle3_incremental.apk
3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk

Expected:
  2nd APK installs successfully.

Actual:
  2nd APK fails to install.

Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7

On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095

Required for PackageManagerService to perform restorecon recursively on a
staging dir.

Addresses the following denial:
avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

Bug: 19550105
Bug: 20087446
Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da