Commit 619c1ef2 ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I827a108bd118090542354360a8c90b295e6a0fef

Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45

This reverts commit 67ed4328.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75

Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25e.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a

This reverts commit 9899568f.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0

DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e

llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126

Also move statsd to /public/

Bug: 110538431
Test: manual testing
Change-Id: I58319e169eaab7d997ed3628c3c9709cf7bd0d4a

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e

As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6

(cherrypicked from commit f2afca7c)

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d

Cut down on logspam during kernel_net_tests

Test: /data/nativetest64/kernel_net_tests/kernel_net_tests
Change-Id: Id19f50caebc09711f80b7d5f9d87be103898dd9a

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5

Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid

Instant apps should also be excluded from access.

Fixes: 92796393
Test: make -j cts_instant
    cts-instant-tradefed run commandAndExit cts-instant-dev \
    -m CtsPermissionTestCases \
    --test android.permission.cts.FileSystemPermissionTest

Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457

Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6

(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be28894)

Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 08731895)

Vendor public libs are exposed to apps (not system), and their ABI
stability is guaranteed by vendor. Introducing new selinux type so that
we don't conflate concepts of same-process HAL and vendor public lib.
The former is exposed to all domains, while the latter should only be
acessible by apps.

Bug: 76413554
Test: build-only change, policy builds
Change-Id: I89dad351374f46c7fe2726991eb4c05064c37ed5

The /dev/ion driver's file operations structure does not specify a
write operation. Granting write is meaningless. This audit statement
has been around since Android Oreo and logs collected from dogfooders
shows that no apps are attempting to open the file with write
permissions.

Bug: 28760354
Test: build
Test: verify no "granted" messages from dogfood devices.
Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d1)

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8)

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f843)

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc

This reverts commit fad0b04d.

Reason for revert: This change crashed facebook App on dogfood build.

Bug: 72977484
Change-Id: I4f35b00c11afbd4914f572d3cc0378d740403ed2