Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

To avoid audit messages that arise because there is no way to create a
file without also trying to open and read it.

Bug: 28241500
Change-Id: Id1daaf190b36eda9775e00701cd7241991f65a2a

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368, and from untrusted_app in
cbf7ba18.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

Bug: 27511071
Change-Id: I99ea21638a4df8ad1f815d91bb970e1f8f143030

- Required to query cpusets information.

Bug: 22855417
Bug: 27381794
Bug: 27498731

Change-Id: I6d192aad2135d99a6c9cdaf97696b0822bd21897

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347ee)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

(cherry-pick from commit: 0b80f4dc)

Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6

Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496

Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3

Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38

Strengthen neverallow rule to enforce that no apps may write to
system_data_file - the default label for /data/

Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.

avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file

Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7

and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7

su is in permissive all the time. We don't want SELinux log
spam from this domain.

Addresses the following logspam:

  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0

Not actually needed as demonstrated by the auditallow rule.

Change-Id: Ia92c82ec237ab3490a1d51fa3371778e43e09504

Exempt bluetooth which has net_admin capability.

Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.

Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1

Bug: 22032619
Change-Id: Ic160e0beef353c6dc5fb5e2d6a09a5628f067fe3

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73

Addresses the following denial:

  avc: denied { write } for path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=716 scontext=u:r:shell:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0

which started occurring because of https://android-review.googlesource.com/184260

Bug: 25945485
Change-Id: I6dcfb4bcfc473478e01e0e4690abf84c24128045

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d

Remove ptrace from app.te, and only add it to the app domains
which explicitly require it.

Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16

Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271

This permission appears to be unnecessary on some (most?) devices such
as the Nexus 5. It should be moved to the device policy if it's truly
required by the driver.

Change-Id: I531dc82ba9030b805db2b596e145be2afb324492

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I34db8855a55426f6a590a89cc6c157e1ccd50ff9