keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f

Bug: 15021938
Change-Id: Id815640302efde3ae089da33ff8e2cb7daee8bfd

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

Conflicts:
	debuggerd.te

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: If5b7206192cf93d9989b734304db0374429c04d5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I09932cdd59f9d3a38e69df9fcfc34cc9cec1d8cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In 0c9708b2, we removed relabelto
from unconfined.te.  This broke debuggerd.  Fixed.

type=1400 audit(1373668537.550:5): avc:  denied  { relabelto } for  pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir

Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>