Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d

In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f

Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.

Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ic500af7b9dac6a9b6401e99c3d162913e9989d9b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c

Change-Id: I889e8eb1851b01ac9a8c8789ba1cc56c9154cecd

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9

The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.

Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.

Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.

Allow reading of properties area, which is now created before init has switched contexts.  Revisit this later - we should explicitly label the properties file.