Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

Bug: 28251026
Change-Id: I73dce178b873d45e703896f12c10325af2ade81d

Doesn't appear to be needed anymore.

Change-Id: I7a1fcf4c17fa69c313daebb87c9b0bf654169ee0

Bug: 27549740
Change-Id: I3f646984fbd9cbcb58636d158a9ac0afc5a930ce

(cherry picked from commit 6ba383c5)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

(cherry picked from commit 1df23cbf)

This does not appear needed anymore.

Bug: 27549740
Change-Id: I3128ab610c742b18008f4cfc2a7116b210f770e7

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304

(cherry picked from commit 369cf8cd)

Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d

Bug: 28179196

Change-Id: I580f0ae2b3d86f9f124195271f6dbb6364e4fade

Bug: 28169802
Change-Id: Ibc063470a42601ea232b1fa535663641a761eea7

Bug: 28049120
Change-Id: Id288092402f36daafc3347db9b62d341a1de2eb3

Bug: 28165026
Change-Id: I3deecd692b348dbb28bf1d36a88696e4bc1db92d

Move from privileged macro to unprivileged.

Bug: 28164785
Change-Id: Ide39dc0009871c209249a41e574e84009ac47380

1. Allow the system server to create the dns_listener service.
2. Allow netd to use said service.

Change-Id: Ic6394d7b2bdebf1c4d6cf70a79754a4996e943e2

Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368, and from untrusted_app in
cbf7ba18.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0

This allows system app, regular app as well as test app to access
ContextHubManager API. Additional "signature|privilige" permission
requirement (LOCATION_HARDWARE) still exist to prevent security
issues, misuse and abuse.

Change-Id: I47f3d243a3de7f1202c933fc715a935c43cf319b

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c

Bug: 28008032
Change-Id: I29e076ee9c62a0fb3b386f79509935a1961f95e1

(cherry picked from AOSP 163c8a006b87cae0217fd9dafdaec5271f1d795b)

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

(cherry picked from AOSP a16b0589)

Enforce restrictions on kernel module origin when kernel has commit:
61d612ea selinux: restrict kernel module loading

Bug: 27824855
Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b

Bug: 27176738
Change-Id: Ib52bb94973d20591dd440cea42aadfa53d476848

Bug: 27884853
Change-Id: I097306a324bdc25c5d22868f0342e175ce0dbb9a

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 28040634

Change-Id: I492c87e9f232c57f43abd09b7864b52847bc3555

We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs.  To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.

avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b

(cherry pick from commit 74541338)

Bug: 27965066
Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a

(cherry pick from commit 6937aa93)

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
Bug: 27965066