media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca

Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd

Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.

Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

It no longer needs access to audio and camera

Bug: 22775369
Change-Id: I1de1f0e3504b214d6943733bf60eb83654b71048

SetupWizard initiates video playback using MediaPlayer API. Media server
should be able to handle preloads file descriptors

Bug: 28855287
Change-Id: I529dd39b25b852787b3d1708a853980cf382f045

Bug: 22775369
Change-Id: Iae362fcc371bab1455dda733f408f005c7eec3f8

bug: 22990512
Change-Id: I39baf6594cfcf56f5461ba54a7cdf6c9e161d834

Bug: 28169802
Change-Id: Ibc063470a42601ea232b1fa535663641a761eea7

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

Bug: 27221797
Change-Id: Ie490eac5e7581ce21ca5377c3b46b48c647a335b

Bug: 27065131
Change-Id: I15c058eb46981ea3e03eccb4da132055ecae7efb

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 26175834
Change-Id: I49244f8e6165ea5a871955f07b3c4ea40cbd7c59

Neverallow access to privileged commands.

Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd

Mediaserver no longer appears, and maybe never did, need write
permission to sysfs files.
commit: 1de9c492 added auditing to
make sure this is the case, and such access has not been observed.
Remove the permissions and the associated auditallow rule to further
confine the mediaserver sandbox.

Bug: 22827371
Change-Id: I44ca1521b9791db027300aa84e54c074845aa735

Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271

In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25ef, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9

The device-independent code only needs read access to sysfs, and this
appears to be enough for at least some devices (Nexus 5).

Bug: 22827371
Change-Id: I3b7b068e98f11f9133f0bdea8ece363e4bd89ae8

- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c