Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29

Change-Id: Id1eb5f7524181aaa17d0ce26219167a5b05cfd4f

When setting a static wallpaper on multiple devices the
following denials were encountered.
   avc:  denied  { getattr } for  pid=1775 comm="llpaper_chooser" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:shared_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file
   avc:  denied  { getattr } for  pid=799 comm="ndroid.systemui" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:platform_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file
   avc:  denied  { getattr } for  pid=1909 comm=4173796E635461736B202332 path="/data/system/users/0/wallpaper" dev="mmcblk0p28" ino=586422 scontext=u:r:release_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

platform_app access is from the SystemUI app whereas the other
denials are from the Launcher that is used on the particular
device. For instance, Launcher2 triggers the shared_app denial
whereas release_app (used by Launcher3) triggers the other denial.
Because of this, add the rule to all appdomains.

The static wallpaper is still set without this change. Just add
the rule to avoid the noise in the logs.

Change-Id: Ida84d1695d52379d67b87318403f629fd07109a4
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6

The kernel bug that required healthd to remain permissive was fixed by
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2.

Change-Id: Iff07b65b943cadf949d9b747376a8621b2378bf8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

init creates a private /dev/null instance named /dev/__null__
that is inherited by healthd.  Since it is created prior to
initial policy load, it is left in the tmpfs type.
Allow healthd to inherit and use the open fd.

Change-Id: I525fb4527766d0780457642ebcc19c0fcfd1778c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denial.
  avc:  denied  { create } for  pid=605 comm="Binder_2" name="IDM1013" scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_data_file:s0 tclass=dir

Witnessed denial on grouper. Policy change
seems appropriate for core policy though. To
reproduce:
* erase data partition or just delete all dirs
  under /data/mediadrm
* start netflix app and watch a movie

Change-Id: I515a195d45223249847fae70dc2ea9c9b216042f
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3

Previous bluetooth denials should be addressed by
I14b0530387edce1097387223f0def9b59e4292e0.

Change-Id: I5c6b44a142a7e545230b89df9c4500ce2fab4ab6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

These are all symlinks. The restorecon in /sys doesn't follow
symlinks, so these lines have absolutely no effect, and just
serve to confuse people.

Remove them.

Change-Id: I24373fa0308ec700011ed19b1ce29a491d1feff3

powervr_device is obsoleted by the more general gpu_device.
akm_device and accelerometer_device are obsoleted by the more
general sensors_device.

We could also drop the file_contexts entries altogether and
take them to device-specific policy (in this case, they all
came from crespo, so that is obsolete for master).

Change-Id: I63cef43b0d66bc99b80b64655416cc050f443e7d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I35728c4f058fa9aeb51a7960395759590e20b083
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I27c62a7ab7223eb74f44a78c273dd97f1380bc61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Idc26aadd0add9f39447d51a1d82a55a957a88e9a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ie7414b49eac92f7d57789cc3082dbce774561126
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 43ddc106.

Change-Id: Id2d2c02ccf6ac38c48b07ab84b73348cd9c815fa

The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 89740a69.

Change-Id: Ie060cff0de8cbd206e0e55e196021726e52246c7

Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.

Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.

Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it.  So I retained that rule.

Tested with adb sideload.

Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ic5aae78d575dba50d0a4bb78747da3ba4b81fb7b

Define a domain for use by the recovery init.rc file for
/sbin/recovery.  Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.

Change-Id:  Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is required for the grouper sepolicy, where we must allow
bluetooth domain to write to the base sysfs type due to a kernel bug.

Change-Id: I14b0530387edce1097387223f0def9b59e4292e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

adbd uses setpcap to drop capabilities from the bounding
set on user builds. See system/core commit
080427e4e2b1b72718b660e16b6cf38b3a3c4e3f

Change-Id: I6aec8d321b8210ea50a56aeee9bc94738514beab

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858

As discussed in https://android-review.googlesource.com/78634 , the removal of execmem may cause OTA problems. Not sure...

Revert this patch to give us more time to investigate.

This reverts commit 4e416ea4.

Change-Id: Ie05f90235da5b9ee20b374298494cbc0a58b9b49

The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5f.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a