Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

(cherrypick of commit 47bd7300)

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

dumpstate and lmkd need to act on apps running at any level.

Various file types need to be writable by apps running at any
level.

Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e

As of sepolicy commit a16a59e2
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.

Merge them into one type to avoid a proliferation of SELinux
types.

Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95

ADF is a modern replacement for fbdev.

ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes.  Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.

Ordinary apps should not talk to ADF directly.

Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>

Change-Id: Ibeeec6637022ee8bc9868e102b3d55e3b0d4762c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: If4de8d3515727c0b2f95c88c1125410d9894a9ba
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

powervr_device is obsoleted by the more general gpu_device.
akm_device and accelerometer_device are obsoleted by the more
general sensors_device.

We could also drop the file_contexts entries altogether and
take them to device-specific policy (in this case, they all
came from crespo, so that is obsolete for master).

Change-Id: I63cef43b0d66bc99b80b64655416cc050f443e7d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This label was originally used for Motorola
Xoom devices. nvmap is the tegra gpu memory
manager and the various nvhost drivers are
for tegra graphics related functionality,
i.e. display serial interface, image signal
processor, or media processing stuff.

Only grouper and tilapia presently need this
policy.

Change-Id: I2a7000f69abf3185724d88d428e8237e0ca436ec

Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc:  denied  { getattr } for  pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc:  denied  { open } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc:  denied  { write } for  pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { remove_name } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { unlink } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.

Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c

This reverts commit 69fbbdd5.

Some of these will get factored out into device-specific
configs later.

Change-Id: I359915e2607b56112bb22456d28e06c162fcbdff

This reverts commit e7e54fac

Change-Id: I26b577cf46a0eaccf6adf7ae851383a10bf03b4b

This reverts commit 1c101164

Restoring now that the conflict with tuna has passed.

Change-Id: I587dab8d7102c913fc03825a006e96d76680858d

This reverts commit f51e9007

Looks like this caused a build breakage in master, may have a duplicate rule from AOSP.

Change-Id: I4ea83a47baec4ffa2840b5fe50b6f55e1eeda53c

Some of these will get factored out into device-specific
configs later.

Change-Id: I7ea9c22a666b13bca2d867e5bcc7084ed7129de3

- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c

timerirq_device has been removed in favor
of using the existing sensors_device domain.

Change-Id: I503e4a511c2901890356559c0afb971392b4ec6f
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c

timerirq_device has been removed in favor
of using the existing sensors_device domain.

Change-Id: I503e4a511c2901890356559c0afb971392b4ec6f
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change-Id: Ie9b391283362fb6930f1ae858f0a879835c91e32

Change-Id: Ie9b391283362fb6930f1ae858f0a879835c91e32

Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

iio: Industrial I/O subsystem
usb_accessory: accessory protocol for usb

Allow system access in both cases.

Change-Id: I02db9775ec2ddaaeda40fae6d5e56e320957b09c
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>

Allow device node access irrespective
of MLS restrictions. Third party apps
(untrusted_app) domains need access too.

Change-Id: I132b8201bccb1ff31dc0c15a735f81f645c9836d

Initial policy for racoon (IKE key management).

Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479

Initial policy for software watchdog daemon
which is started by init.

Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.

Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.