Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534

Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32

Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.

This reverts commit 47cd53a5.

Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da

On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.

Needed by changes from
  Ibb82953594d234f81ad21c40f524190b88e4ac8f

Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d

ueventd is allowed to change files and directories in /sys,
but not symbolic links. This is, at a minimum, causing the
following denial:

type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file

Allow ueventd to modify labeling / attributes of symlinks.

Change-Id: If641a218e07ef479d1283f3171b2743f3956386d

Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.

Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As per the discussion in:
https://android-review.googlesource.com/#/c/92903/



Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.

Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Need this for changing max_cpufreq for the low power mode.

Denials:
type=1400 audit(1398818907.151:48): avc:  denied  { relabelfrom } for
pid=129 comm="ueventd" name="scaling_max_freq" dev="sysfs" ino=19866
scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

type=1400 audit(118521.050:11): avc:  denied  { setattr } for  pid=130
comm="ueventd" name="scaling_min_freq" dev="sysfs" ino=9178
scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file

Change required for Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233

Change-Id: I93feee65b1535ac048acf3bc7fba9f5d1bdb2bd2
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

All (known) denials have been addressed.

Change-Id: Ic12ed190a2efb7f20be589137a27b95d03dde25a

Every device has a CPU. This is not device specific.

Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.

Allow ueventd to write to these files. This addresses
the following denials seen on mako:

<5>[    4.935602] type=1400 audit(1383167737.512:4): avc:  denied  { read } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935785] type=1400 audit(1383167737.512:5): avc:  denied  { open } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.935937] type=1400 audit(1383167737.512:6): avc:  denied  { search } for  pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[    4.936120] type=1400 audit(1383167737.512:7): avc:  denied  { write } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[    4.936303] type=1400 audit(1383167737.512:8): avc:  denied  { open } for  pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file

Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936

* Keep ueventd in permissive
* Drop unconfined macro to collect logs
* Restore allow rules to current NSA maintained policy

Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

Required for If8b8d66120453123c1371ce063b6f20e8b96b6ef .

Change-Id: I98871b957db8b291cbbb827b5eb39b4279ce4194
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

Required for If8b8d66120453123c1371ce063b6f20e8b96b6ef .

Change-Id: I98871b957db8b291cbbb827b5eb39b4279ce4194
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add new dev_type:
- ump_device : Unified Memory Provider driver.
       The file_contexts entry should be
       described on a per device basis.

Minor adjustments:
- tee needs netlink socket access.
- ueventd needs to grant file operations.

Change-Id: I915304da687d3a2b9aa417e6f91ea915bd697676
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Tested on a maguro variant.

Allow reading of properties area, which is now created before init has switched contexts.  Revisit this later - we should explicitly label the properties file.