Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4

Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e

Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.

Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc

sdcard_internal is assigned to fuse mounts while sdcard_external
is assigned to vfat mounts by genfs_contexts.  Originally we
allowed access to both via the sdcard_type attribute, and access
via both means was required.  IIUC however, in 4.4 and later,
SDcard access should always occur via the fuse mount and we can
drop access to sdcard_external.

I think we can do the same for all domains except sdcardd.  However,
I cannot test this as the Nexus devices do not have external SDcard
support.

Also wondering if we should rename sdcard_internal type to fuse
and sdcard_external type to vfat to more clearly represent their
meaning, since one accesses the external SDcard via the fuse mount now.

Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The following commits added support for runtime resource overlays.

  New command line tool 'idmap'
  * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
  Runtime resource overlay, iteration 2
  * 48d22323ce39f9aab003dce74456889b6414af55
  Runtime resource overlay, iteration 2, test cases
  * ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
  * python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40

Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.

Add read/write capabilities back to app domains, since apps need to
read/write profiling data.

Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3

Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh.  So they originally
shared a common set of rules.  Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc.  Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc).  The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command.  And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.

Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te.  init_shell was an unconfined_domain(),
so it loses nothing from this change.  Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.

Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As of sepolicy commit a16a59e2
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.

Merge them into one type to avoid a proliferation of SELinux
types.

Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95

This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).

Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0

NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851

(cherry picked from commit 78706f9e)

Change-Id: I4a20de92f9c5f1840a30232212ba373b497c19a8

NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663

Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).

init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it.  init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.

Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.

This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.

Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.

Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4

Allow the shell user to see the dmesg output. This data is already
available via "adb bugreport", but isn't easy to access.

Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177

Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e

On userdebug / eng builds, Android supports the concept of app wrapping.
You can run an app wrapped by another process. This is traditionally used
to run valgrind on apps, looking for memory leaks and other problems.

App wrapping is enabled by running the following command:

  adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind"

Valgrind attempts to mmap exec /system/bin/app_process, which is being denied
by SELinux. Allow app_process exec.

Addresses the following denial:

  <4>[   82.643790] type=1400 audit(16301075.079:26): avc:  denied  { execute } for  pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

Bug: 15146424

Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25

Commit: 7ffb9972 added protection against low
memory mapping for all domains, a superset of appdomain.  Remove the same,
redundant neverallow rule from appdomain.

Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 14833575

Change-Id: I23425b4ef1552ff31486d0a52ee2c69d6236691d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ADF is a modern replacement for fbdev.

ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes.  Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.

Ordinary apps should not talk to ADF directly.

Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>

We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Commit 3fbc536d allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.

Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send

EXPECTED RESULTS:
No crash

OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state

Additional details:
  05-05 10:14:01.196  2457  2457 W Binder_3: type=1400 audit(0.0:20): avc:  denied  { write } for  path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
  05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
  05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
  05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at android.content.ContentUris.parseId(ContentUris.java:85)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.222   659  5253 W ActivityManager:   Force finishing activity com.android.mms/.ui.ComposeMessageActivity

Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9

Commit 3fbc536d allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.

Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send

EXPECTED RESULTS:
No crash

OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state

Additional details:
  05-05 10:14:01.196  2457  2457 W Binder_3: type=1400 audit(0.0:20): avc:  denied  { write } for  path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
  05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
  05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
  05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.203 27809 28219 E PduPersister:        at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
  05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at android.content.ContentUris.parseId(ContentUris.java:85)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
  05-05 10:14:01.221 27809 28219 E AndroidRuntime:      at java.lang.Thread.run(Thread.java:818)
  05-05 10:14:01.222   659  5253 W ActivityManager:   Force finishing activity com.android.mms/.ui.ComposeMessageActivity

Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9

Bug: 13340779
Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587

To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.

Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade.  init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.

Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.

Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles
subdirectory to /data/dalvik-cache with files that must be
app-writable.  As a result, we have denials such as:
W/Profiler( 3328): type=1400 audit(0.0:199): avc:  denied  { write } for  name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null)
W/auditd  (  286): type=1307 audit(0.0:199):  cwd="/"
W/auditd  (  286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0

We do not want to allow untrusted app domains to write to the
existing type on other /data/dalvik-cache files as that could be used
for code injection into another app domain, the zygote or the system_server.
So define a new type for this subdirectory.  The restorecon_recursive /data
in init.rc will fix the labeling on devices that already have a profiles
directory created.  For correct labeling on first creation, we also need
a separate change to installd under the same change id.

Bug: 13927667
Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
 avc:  denied  { read } for  pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

This does not allow write denials such as:
 avc:  denied  { write } for  pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

Need to understand whether write access is in fact required.

Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/



Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>