Change-Id: I3c6af086fc8ca3e9600c2267c439718c9a572dfb

Bug: 17674304

Change-Id: Ide32833809bca8d3ed8ddc898748e25d7a692319

* commit 'c6cb6ac4':
  isolated_app: remove app_data_file execute

* commit '206b1a6c':
  Define specific block device types for system and recovery partitions.

Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.

Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.

These types must be assigned to specific block device nodes
via device-specific policy.  This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.

This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.

Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In commit ad891591, we allowed
isolated processes to execute files from /data/data/APPNAME.

I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.

This is essentially a revert of ad891591.

Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816

* commit 'eb5b76aa':
  Mark asec_apk_file as mlstrustedobject.

* commit 'cedee697':
  Fix fsck-related denials with encrypted userdata.

Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.

Addresses denials such as:
avc:  denied  { ioctl } for  pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file

These denials show up if you have encrypted userdata.

Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { write } for  pid=1546 comm="Binder_1" name="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir

This is required to install a forward-locked app.

Change-Id: I2b37a56d087bff7baf82c738896d9563f0ab4fc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '92dfa31f':
  seinfo for platform based domains should be stated explicitly.

* commit '8a0c25ef':
  Do not allow init to execute anything without changing domains.

The current policy would allow any application that were to
"magically" get a sensitive UID into the coresponding
sensitive domain. Rather then only using UID as an input
selector, require seinfo=platform.

Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec

Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '54e9bc45':
  Dependencies for new goldfish service domains.

In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service.  A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them.  A neverallow rule prevents us from allowing
qemu-props to set default_prop.

We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat.  We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'f2c01189':
  zygote: allow replacing /proc/cpuinfo

* commit '49fd9567':
  Allow NFC to read/write nfc. system properties.

* commit '3e6da147':
  Enable selinux read_policy for adb pull.

Remove permission from appdomain.

(cherry picked from commit 309cc668)

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116

* commit '9ac7df22':
  Allow NFC to read/write nfc. system properties.

(cherry pick of commit 05383ebf)

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97

* commit '2de02877':
  zygote: allow replacing /proc/cpuinfo

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501

(cherry picked from commit 2de02877)

Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97

* commit '826bc5d6':
  allow apps to read the contents of mounted OBBs

Apps should be able to read the contents of mounted OBBs.

Steps to reproduce:

  1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
  2) Attempt to run the app.

Expected:
  App runs successfully.

Actual:
  App crashes. See denials below.

This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3

Addresses the following denials:

  avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0

(cherrypick of commit 62083414)

Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa

* commit '62083414':
  allow apps to read the contents of mounted OBBs

Apps should be able to read the contents of mounted OBBs.

Steps to reproduce:

  1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
  2) Attempt to run the app.

Expected:
  App runs successfully.

Actual:
  App crashes. See denials below.

This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3

Addresses the following denials:

  avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0

Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa

* commit '4635b26f':
  Enable per-user isolation for normal apps.

* commit 'b54f92bb':
  make su an mlstrustedsubject

* commit 'a8b651bf':
  relax appdomain efs_file neverallow rules [DO NOT MERGE]

During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:

  adb shell cat /factory/ssn
  adb shell cat /factory/bt/bd_addr.conf
  adb shell cat /factory/wifi/mac.txt
  adb shell cat /factory/60isn

read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.

No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.

Bug: 17600278

(cherry picked from commit 200a9f0e)

Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7

Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.

  <6>[   64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
  <6>[   64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1

Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f

* commit '200a9f0e':
  relax appdomain efs_file neverallow rules