Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee

Add com.android.net.IProxyService as a system_server_service
to service_contexts.

Bug: 16369427

(cherry picked from commit 26d6371c)

Change-Id: I3e58681971683bdc7f26a1d130c8bcf8ffcb89e2

https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

(cherry picked from commit 8a5b28d2)

Change-Id: I39baaf62058986d35ad43de708aaa3daf93b2df4

dex2oat fails when upgrading unlabeled asec containers.

Steps to reproduce:

1) Install a forward locked app on Android 4.1
  adb install -l foo.apk
2) Upgrade to tip-of-tree

Addresses the following denial:

  <4>[  379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

(cherry picked from commit 270be6e8)

Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137

addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289

(cherry picked from commit 6a1405d7)

Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466

Define the service context for "webviewupdate", a new service that will
run in the system server.

Bug: 13005501
Change-Id: I841437c59b362fda88d130be2f2871aef87d9231

dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:

  type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

Steps to reproduce:

  $ adb install -r -l SimpleJNI.apk

Expected:

  app installs

Actual:

  app fails to install.

Bug: 16328233

(cherry picked from commit 5259c5e6)

Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f

Change untrusted_app to not auditallow radio_service find requests
to cut down on log spam.

(cherry picked from commit af8d7ca9)

Change-Id: Ibfcc1abe927b6114af5a3a82188bf9f1e009d7f7

Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

(cherry picked from commit 53297318)

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d

Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4

Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2

Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7

Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e

Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87

* commit '2f91ce55':

* commit '1c7463ac':

* commit 'ddfaf822':

* commit '554a8a3d':

* commit 'e4409728':
  Allow netd to create data files in /data/misc/net/.

* commit 'd27aeb21':
  recovery: allow read access to fuse filesystem

* commit 'd86b0a81':
  New domain "install_recovery"

* commit 'e900e573':
  Rules to allow installing package directories.

Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45

* commit 'a2933b66':
  install_recovery: start enforcing SELinux rules

* commit '2b3c5de2':
  install_recovery: start enforcing SELinux rules

* commit '5b347a60':
  allow ueventd sysfs_type lnk_file

* commit '1d2ff869':
  allow ueventd sysfs_type lnk_file

ueventd is allowed to change files and directories in /sys,
but not symbolic links. This is, at a minimum, causing the
following denial:

type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file

Allow ueventd to modify labeling / attributes of symlinks.

Change-Id: If641a218e07ef479d1283f3171b2743f3956386d

* commit '5b5ba50f':
  Drop sys_rawio neverallow for tee

* commit 'b59dc27a':
  Drop sys_rawio neverallow for tee

The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.

Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396

* commit '7e953e77':
  Don't use don't

* commit 'f5835666':
  Don't use don't

* commit 'f7cf7a4b':
  ensure that untrusted_app can't set properties

* commit '99d86c7a':
  ensure that untrusted_app can't set properties

Single quotes sometimes mess up m4 parsing

Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535