bug: 22990512
Change-Id: I39baf6594cfcf56f5461ba54a7cdf6c9e161d834

Bug: 28169802
Change-Id: Ibc063470a42601ea232b1fa535663641a761eea7

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

Bug: 27221797
Change-Id: Ie490eac5e7581ce21ca5377c3b46b48c647a335b

Bug: 27065131
Change-Id: I15c058eb46981ea3e03eccb4da132055ecae7efb

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 26175834
Change-Id: I49244f8e6165ea5a871955f07b3c4ea40cbd7c59

Neverallow access to privileged commands.

Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd

Mediaserver no longer appears, and maybe never did, need write
permission to sysfs files.
commit: 1de9c492 added auditing to
make sure this is the case, and such access has not been observed.
Remove the permissions and the associated auditallow rule to further
confine the mediaserver sandbox.

Bug: 22827371
Change-Id: I44ca1521b9791db027300aa84e54c074845aa735

Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271

In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25ef, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9

The device-independent code only needs read access to sysfs, and this
appears to be enough for at least some devices (Nexus 5).

Bug: 22827371
Change-Id: I3b7b068e98f11f9133f0bdea8ece363e4bd89ae8

- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd

System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b

Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.

Grant search permissions on the oemfs directory, so that the files
within that directory can be read.

Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db