kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

Fixes warning:
system/sepolicy/public/install_recovery.te:14:WARNING 'unrecognized character' at token ''' on line 13335:
allow install_recovery vendor_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };'

Bug: 37105075
Test: Fugu policy builds without this warning.
Change-Id: I8f417c51a816f3983a918c7e36dd804c5b85543f

Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8

No relevant collected denials.

Test: device boots and no obvious problems.
Test: no collected denials.
Bug: 28760354
Change-Id: Idcf939b3cbdb1dec835d59150181047d062e6c48

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

The auditallow for install_recovery accessing cache_recovery_files
hasn't triggered, so drop the rules as they don't appear to be
used.

Change-Id: I74bb152b6c829612594c647674907e16783fa477

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Toolbox is definitely used from install_recovery. Addresses
the following denials:

  type=1400 audit(0.0:7): avc: granted { execute } for comm="install-recover" name="toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:6): avc: granted { getattr } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:13): avc: granted { read } for comm="log" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  type=1400 audit(0.0:9): avc: granted { read open } for comm="install-recover" path="/system/bin/toolbox" dev="mmcblk0p41" ino=463 scontext=u:r:install_recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: I51d6e474f34afe1f33ea8294a344aa71e41deead

When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f

The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.

Addresses the following denial:

  type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

TODO: Add device specific labels for the boot image.

Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa

The recovery partition has been assigned a recovery_block_device
type for the AOSP devices, so install_recovery should not need
rw access to the generic block_device type.  Remove it.

Change-Id: I31621a8157998102859a6e9eb76d405caf6d5f0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.

Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.

These types must be assigned to specific block device nodes
via device-specific policy.  This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.

This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.

Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Start enforcing SELinux rules for install_recovery.

Change-Id: I052c7d2203babf3e146cf32794283e80ca21dd9a

Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8