This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7

This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f

Bug: 35657600
Test: user build of Marlin starts with BT
Change-Id: Ic2380da66467b9b1c385da7d7fa10fddf4c7fae1

The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.

Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178
Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>
Bug: 31052947
Test: boot the Android framework

This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.

Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.

Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.

Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079

(cherry picked from commit 47174e3b)

Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27

This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.

Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.

Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.

Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079
Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27

In the master external/ipsec-tools/{main.c, racoon.rc},
racoon doesn't call setuid, and doesn't have the setuid capability.

Bug: 35642293
Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>

This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1

The preview surface will run in app process and hal_camera will
need to wait on FD generated by preview surface.

Test: the denial is gone, able to take photo in
      messenger/hangout/drive application.
Bug: 35589980
Bug: 35485227
Change-Id: I1977174369b104617156065ff25203a17265b707

untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2

This removes the compile-time deprecation warning about
hal_impl_domain macro. The warning was introduced in
86e87806f5777a7fc09ea962e694442297e4f8d6. We don't want to spam all
Android platform developers about something internal to the ongoing
SELinux policy restructuring.

Test: Policy compiles without any warnings
Test: Google Play Movies plays back movies (i.e., DRM HAL works)
Bug: 34170079
Change-Id: Icbd4d1283196f7ccc84c2a041c5601113d3c9f21

For early mount we end up creating the device nodes for partitions
under /dev/block before selinux is initialized. Which means, that
restorecon_recursive on /dev/block will have to relabel these nodes
and their symlinks.

This change adds the rule to allow init do the same.

b/27805372

Test: boot marlin / sailfish with early mount device node creation
but mount partitions using the default 'mountall' without any selinux
denials.

Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160
Signed-off-by: Sandeep Patil <sspatil@google.com>

dumpstate has CAP_SYS_PTRACE solely for the purpose of reading sensitive
/proc/PID files, not for using ptrace attach. Add an assert to ensure
that's the case.

Test: policy compiles.
Change-Id: I975308fae3f8e9a039b9efdc0e9605192b405ce7

This switches DRM HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of DRM HAL.

Domains which are clients of DRM HAL, such as mediadrmserver domain,
are granted rules targeting hal_drm only when the DRM HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting hal_drm
are not granted to client domains.

Domains which offer a binderized implementation of DRM HAL, such as
hal_drm_default domain, are always granted rules targeting hal_drm.

Test: Play movie using Google Play Movies
Test: Play movie using Netflix
Bug: 34170079
Change-Id: I3ab0e84818ccd61e54b90f7ade3509b7dbf86fb9

Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9

To determine if it is safe to run fsck on a filesystem, e2fsck
must first determine if the filesystem is mounted. To do that,
e2fsck scans through /proc/mounts and collects all the mounted
block devices. With that information, it runs stat() on each block
device, comparing the major and minor numbers to the filesystem
passed in on the command line. If there is a match, then the filesystem
is currently mounted and running fsck is dangerous.
Allow stat access to all block devices so that fsck can compare
major/minor values.

Addresses the following denials:

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sde5"
dev="tmpfs" ino=15649 scontext=u:r:fsck:s0
tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file
permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda25"
dev="tmpfs" ino=15528 scontext=u:r:fsck:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda31"
dev="tmpfs" ino=15552 scontext=u:r:fsck:s0
tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sdd3"
dev="tmpfs" ino=15600 scontext=u:r:fsck:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 35324014
Bug: 33781554
Test: device boots and no SELinux denials.
Change-Id: I5af4a334ec41952887914eec4eee5c60cc441a66

This switches Bluetooth HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Bluetooth HAL, such as bluetooth domain,
are granted rules targeting hal_bluetooth only when the Bluetooth HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bluetooth are not granted to client domains.

Domains which offer a binderized implementation of Bluetooth HAL, such
as hal_bluetooth_default domain, are always granted rules targeting
hal_bluetooth.

Test: Toggle Bluetooth off and on
Test: Pair with another Android, and transfer a file to that Android
      over Bluetooth
Test: Pair with a Bluetooth speaker, play music through that
      speaker over Bluetooth
Test: Add bluetooth_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/bluetooth_hidl_hal_test/bluetooth_hidl_hal_test
Bug: 34170079
Change-Id: I05c3ccf1e98cbbc1450a81bb1000c4fb75eb8a83

Because bootanimation uses the graphics mapper
HIDL service (which is always passthrough), it makes
a call to hwservicemanager to let it know it has
obtained a reference to it.

Bug: 35207188
Test: no more denials from bootanim
Change-Id: I99ea57a0d7777cb84eeaca26426ea38bf72ee933

This switches Camera HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Camera HAL.

Domains which are clients of Camera HAL, such as cameraserver domain,
are granted rules targeting hal_camera only when the Camera HAL runs
in passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_camera are
not granted to client domains.

Domains which offer a binderized implementation of Camera HAL, such
as hal_camera_default domain, are always granted rules targeting
hal_camera.

Test: Take non-HDR photo using Google Camera app
Test: Take HDR photo using Google Camera app
Test: Record video using Google Camera app
Bug: 34170079
Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e

Bug: http://b/34978531
Bug: http://b/35209835
Test: debuggerd -b `pidof zygote`
Change-Id: I0611cd4f8d4893740ef8787df09d296b2f7ed97f

This set of rules is neeeded to allow vr_windows_manager to run
successfully on the system.

Bug: 32541196
Test: `m -j32` succeeds. Sailfish device boots.
Change-Id: I0aec94d80f655a6f47691cf2622dd158ce9e475f

This starts the switch for HAL policy to the approach where:
* domains which are clients of Foo HAL are associated with
  hal_foo_client attribute,
* domains which offer the Foo HAL service over HwBinder are
  associated with hal_foo_server attribute,
* policy needed by the implementation of Foo HAL service is written
  against the hal_foo attribute. This policy is granted to domains
  which offer the Foo HAL service over HwBinder and, if Foo HAL runs
  in the so-called passthrough mode (inside the process of each
  client), also granted to all domains which are clients of Foo HAL.
  hal_foo is there to avoid duplicating the rules for hal_foo_client
  and hal_foo_server to cover the passthrough/in-process Foo HAL and
  binderized/out-of-process Foo HAL cases.

A benefit of associating all domains which are clients of Foo HAL with
hal_foo (when Foo HAL is in passthrough mode) is that this removes the
need for device-specific policy to be able to reference these domains
directly (in order to add device-specific allow rules). Instead,
device-specific policy only needs to reference hal_foo and should no
longer need to care which particular domains on the device are clients
of Foo HAL. This can be seen in simplification of the rules for
audioserver domain which is a client of Audio HAL whose policy is
being restructured in this commit.

This commit uses Audio HAL as an example to illustrate the approach.
Once this commit lands, other HALs will also be switched to this
approach.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20

hal_*_default daemons whose policy is in common/device-agnostic policy
are provided by the vendor image (see vendor/file_contexts). Thus,
their policy should also reside in the vendor image, rather than in
the system image. This means their policy should live in the vendor
subdirectory of this project.

Test: Device boots and appears to work
Bug: 34135607
Bug: 34170079
Change-Id: I6613e43733e03d4a3d4726f849732d903e024016

Fixes type=1400 audit(0.0:3901): avc: denied { open } for comm="crash_dump32" path="/data/app/com.chrome.canary-H8gGiCrQUqTZha2IybgrlA==/base.apk" dev="sda35" ino=1384523 scontext=u:r:crash_dump:s0:c522,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

Bug: http://b/34978531
Change-Id: I0374145f71059c3f104055bf4e8dcf08b1101f2a

Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion.

Place untrusted apps with targetSdkVersion<=25 into the
untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed
into the untrusted_app domain. Common rules are included in the
untrusted_app_all attribute. Apps with a more recent targetSdkVersion
are granted fewer permissions.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Bug: 35323421
Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083

Update shell.te to reflect the fact that hwbinder_user permission is for
lshal, not dumpsys.

Bug: 33382892
Test: pass
Change-Id: I1d298261cea82177436a662afbaa767f00117b16

Bug: 35210697
Test: manual
Change-Id: I0e1e8923851f668d5fe6c210f411a8e4ff0470c7

On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.

See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103

The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.

The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.

Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .

This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.

Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e

Bug: 31399200
Test: Compiles
Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57

avc: denied { read } for name="modalias" dev="sysfs" ino=17624 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Test: Marlin builds and boots without this denial.
Bug: 35197529
Change-Id: I3b64db571ac10c843f3765ed557ceac07bc6580e

Make the policy smaller and less noisy on user builds by suppressing
auditallow rules.

Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Iddf6f12f8ce8838e84b09b2f9f3f0c8b700543f5

auditallows have been in place for a while, and no obvious denials.
Remove domain_deprecated from init.te

While I'm here, clean up the formatting of the lines in
domain_deprecated.te.

Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056

Grant observed uses of permissions being audited in domain_deprecated.

fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir

sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file

update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir

vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424

Addresses the following auditallow spam:

avc: granted { getattr } for comm="init"
path="/data/app/com.sling-1/lib/x86/libavcodec-56.so" dev="mmcblk0p11"
ino=32607 scontext=u:r:init:s0 tcontext=u:object_r:apk_data_file:s0
tclass=file

Test: policy compiles.
Change-Id: I81775f8de93f0b4334279e9f5e19d27e6171616f

Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.

Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:

  * system_server
  * system_app (apps which run as UID=system)
  * netmgrd
  * radio

This change:

1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.

In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.

Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38

Bug: 30989383
Bug: 34731101
Test: manual
Change-Id: Icf9d48568b505c6b788f2f5f456f2d709969fbeb

Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.

In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.

Addresses various auditallow spam, including:

avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file

avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file

avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file

and others not covered above.

Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e

Change-Id: I19d65a83c5c3f42296e8cd8a425bf1f64651068f
related-to-bug:32815560

This leaves only the existence of binderservicedomain attribute as
public API. All other rules are implementation details of this
attribute's policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with *_current targets
      referenced in binderservicedomain.te.
Bug: 31364497
Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c

Bug: 35097918
Test: manual
Change-Id: I84a1eaae99ebd04f0f8a6990b2f85ed7f2e11182