This reverts commit 0dd738d8.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b

untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0

The current rule is missing mmap. r_file_perm implicitly adds mmap, so
we should just use that instead.

Test: policy compiles.
Change-Id: I4051d1eb4c36a2b6ff2b5f26ce53355287cbe2b4

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75

Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5

apexd is using following additional ioctl cmds to mount the mini
filesystem inside APEXs:

 LOOP_SET_STATUS64
 LOOP_SET_FD
 LOOP_SET_BLOCK_SIZE
 LOOP_SET_DIRECT_IO
 LOOP_CLR_FD

Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot

/apex/com.android.example.apex exists

Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc

/dev/tegra.* is not used in android platform and is device-specific

Bug: 110962171
Test: boot walleye
Change-Id: I4cc790d28457b429a3ed9829de223dae357eb498

Bug: 118124442
Test: device can boot with android.frameworks.bufferhub@1.0-service
      running
Change-Id: I1d186d5350671b0d2dd4e831429b8fba828316e0

I found these with the regex (?<!\\)\.(?!\*|\+)

Test: make
Change-Id: I1c2e817d164b1074cb359cdb6d46bcf71e220765

Historically, vendor-init-actionable was created since the various
property_contexts files were not yet available when init parses its
scripts.  Since then, the property_contexts files are now always
available when init parses its scripts, so we can collapse these two
categories.

Specifically, this change ensures that all of the properties in the
previous 'stable_properties.h' file in init, which contained the
vendor-init-actionable properties, are able to be read by init
according to SEPolicy.

Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger

Change-Id: Ic6d9919b6047f3076a1a19fc26295c6a77aca627

Bug: 118185801
Test: bug no. appears in the denial logs
Change-Id: Ib1d1bbbdf25e0e63ac8a7dec98aca08cafc3f870

Copied from device/google/crosshatch-sepolicy.

Test: diff files in system/etc/selinux before and after for aosp_marlin
Change-Id: I518c43af9c217483bdab02424e4aef0270aad366

This is used to address a CTS testcase failure. This CTS
testcase need to access the content of Contact, some data
from ContactProvider is transfered through ashmem.

Currently ashmem is backed by the tmpfs filesystem, ContactProvider
in android run as a priv_app, so the file context of the ashmem
created by ContactProvider is priv_app_tmpfs. CTS runs as an
untrusted_app, need to be granted the read permission to the
priv_app_tmpfs files.

Bug: 117961216

[Android Version]:
android_p_mr0_r0

[Kernel Version]:
4.19.0-rc8

[CTS Version]:
cts-9.0_r1

[Failed Testcase]:
com.android.cts.devicepolicy.ManagedProfileTest#testManagedContactsPolicies

[Error Log]:
11-11 11:15:50.479 12611 12611 W AndroidTestSuit: type=1400 audit(0.0:811):
avc: denied { read } for path=2F6465762F6173686D656D202864656C6574656429
dev="tmpfs" ino=174636 scontext=u:r:untrusted_app:s0:c113,c256,c522,c768
tcontext=u:object_r:priv_app_tmpfs:s0:c522,c768 tclass=file permissive=0

[Test Result With This Patch]:
PASS

Change-Id: I45efacabe64af36912a53df60ac059889fde1629

Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867

Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.

Access for most third party applications was removed in commit
d78e07cb. This change applies the same
constraints to priv-apps that we apply to normal apps.

Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3

No functional change. This reorg just makes it easier to perform diffs
against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors

Test: policy builds.
Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b

apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.

The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.

Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists

Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67

Addresses the following denial:

type=1400 audit(0.0:51894): avc: denied { ioctl } for comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=30291 ioctlcmd=0x6782 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0 app=com.android.providers.media

Test: policy compiles.
Change-Id: I5290abb2848e5824669dae4cea829d4cbea98ab4

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35

Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").

However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important

Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc

Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4

This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.

Bug: 117762471
Bug: 117761873

Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4

same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813

We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.

Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0

Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832

Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e

The auditallow added in 7a4af30b has not triggered. This is safe to
remove.

Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25e.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a

Add ians service contexts

Bug: 113106744
Test: verified from service list that ianas is
      registered
Change-Id: Iea653416ffa45cba07a544826e0a2395d31cedca
Merged-In: Iea653416ffa45cba07a544826e0a2395d31cedca

This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.

Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67

Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2

This reverts commit 9899568f.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

Bug: 117440207
Bug: 111890351
Test: manual
Change-Id: Ie218dec3e4f0f5dbade6d1c4d28b259909664056

This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f

We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.

Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc

Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143

A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=.  The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.

Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95

Bug: 111215474
Test: boots
Change-Id: Ib8cabeb64a8b4ec9f592d870bd0af611a2720cc7

apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97