Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

Only used by Flounder.

Bug: 8435593
Change-Id: I06655e897ab68a1724190950e128cd390617f2bd

In order to allow set_prop() to function with platform_apps,
the property_socket file requires mlstrustedobject since
platform app uses category sets.

This does not allow untrusted_app access, as the following
neverallows still prevent type access:

untrusted_app.te:118:neverallow untrusted_app property_socket:sock_file write;
untrusted_app.te:120:neverallow untrusted_app property_type:property_service set;

Lastly, the internal socket to property_service is labeled with init
which is mlstrustedsubject, so no changes are required there.

Change-Id: I47296a2dc24b16785fd296deea7a54ae9966226a
Signed-off-by: William Roberts <william.c.roberts@intel.com>

It's only used by the emulators, never by core policy.
Move the definition to the emulators.

Bug: 28221393
Change-Id: I7ca56e04d611cfccde507313ba9c2a0a71d54d06

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5

We decided a different approach for these policies in the
meeting today.

This reverts commit 5507fa66.

Bug: 28008031
Change-Id: Id86520660bdbc3fc36ac4acf51082547d6a559eb

update_engine had an automatic transition to the "postinstall" domain
when executing a "postinstall_file" which required it to be an
entrypoint. This patch removes this automatic transition and the
associated rules in update_engine.te, removing as well the need to
add exec_type to postinstall_file. Instead, update_engine now makes
this transition explicit by calling setexeccon(3).

Bug: 28008031
TEST=make dist; Deployed an update to edison-eng: postinstall runs as "postinstall" domain.

Change-Id: I2b799ac4808c90b010a9e776aaa7015020a94b49

To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

(cherry-pick of internal commit: 98eff7c3)

Bug: 27809332
Change-Id: I6f812a7e281e348aa24c76b119e71ed95e1a1d9f

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

(cherry-pick from internal commit: 85c0f8af)

Bug: 27263241
Change-Id: If572ad0931a534d76e148b688b76687460e99af9

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

(cherry-pick of internal commit: 971aeeda)

Bug: 22032619
Chromium Bug: 586021

Change-Id: I2dcb2d4800bbc92ea47c37d4fd7a10f827a0114c

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e

Shell user needs to be able to get current device battery_level via
/sys/class/power_supply/battery/capacity.  Create a global label and
corresponding policy for accessing this.  Rely on each device to label
the appropriate sysfs entry.

Bug: 26219114
Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.

2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.

3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.

Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413

This CL adds the SELinux settings required to support tracing
during boot.
https://android-review.googlesource.com/#/c/157163/

BUG: 21739901
Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0

Bug: 18068520
Bug: 21852542
Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049

This reverts commit 2dabf174.

Change-Id: I7e35a6ea1b8d5958c65eb04a7c9a04ba807b1181

Bug: 18068520
Bug: 21852542
Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff

/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.

Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f

(cherry pick from commit 0d22c6ce)

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef

Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f

Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868

Bug: 19483574
(cherry picked from commit 7d66f783)

Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48

Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5