Bug: 18112269
Change-Id: I801a3ecb42a2636b15612ff19a55150d06786363

The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 18504118
Bug: 18340553
Change-Id: Ia9fac599befc3a3b6e5282be15ec8fd04bb23385

Dex2oat needs the ability to read from already open file descriptors
in /oem so that apps from that location can be installed. Allow it.

Addresses the following denials:

  avc: denied { read } for comm="dex2oat" path="/oem/app/TabletInfo.apk" dev="mmcblk0p12" ino=20 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/AskMe_android_one.apk" dev="mmcblk0p12" ino=14 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerRegulatoryInfo.apk" dev="mmcblk0p12" ino=19 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerLauncherProvider.apk" dev="mmcblk0p12" ino=18 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Amazon_Mobile_com.apk" dev="mmcblk0p12" ino=13 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerBookmarksProvider.apk" dev="mmcblk0p12" ino=17 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Hike.apk" dev="mmcblk0p12" ino=15 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/MiLive_embedded_IndiaGames_version4.0_android1.apk" dev="mmcblk0p12" ino=16 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0

Bug: 18539205
Change-Id: I92bd91c66befc5a1060dd189324b2c046bba0258

Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561

Cherry-pick from: https://android-review.googlesource.com/#/c/111626/

Change-Id: I751a99feffe820308ec58514fdba4cdef184d964

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956

(cherry picked from commit c48971f6)

Change-Id: I24bc1b3405f60c9d4e16e5a995e987e54692b6aa

See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '6f201ddc':
  App: add permissions to read symlinks from dalvik cache.

Bug: 18035729
Change-Id: Ib60f9cd59a7a185ae99761ad29358a735ae2ad26

* commit '9f0af9ec':
  zygote/dex2oat: Grant additional symlink permissions

* commit 'b7934922':
  allow run-as to access /data/local/tmp

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729

(cherry picked from commit f7ccfd00)

Change-Id: I5dca27241f46f481515b96e968fb2bef7866c89b

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

(cherry picked from commit dd8571aa)

Change-Id: I80bb26e06d932229c286f0389f28ad6868d79100

* commit '7cd346a7':
  Allow recovery to create device nodes and modify rootfs

* commit '0055ea90':
  Allow recovery to create device nodes and modify rootfs

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

* commit '7adc8cfe':
  Allow adbd to write to /data/adb

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877db)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f

They need to see when it changes so they know when netd bounces.

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62

* commit '2d1650f4':
  allow system_server to set kernel scheduling priority

Addresses the following denial:

  avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855

* commit '683ac49d':
  recovery: allow changing unlabeled symbolic links

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c

* commit '2c38b3b8':
  DO NOT MERGE: allow access to labeled executables in /system

Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604

Classes which statically read these files are no longer preloaded.

Bug: 18013422
Change-Id: Iafd127eff2ba95266f49f8d7c70bc9dd11624df4

* commit '480374e4':
  Fix compile time / CTS gps_data_files neverallow assertion

Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.

Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.

This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.

Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93

* commit '51bfecf4':
  Pull keychain-data policy out of system-data

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547

* commit 'ebfd9f87':
  allow oemfs:dir search

* commit '2380d05f':
  allow system_server oemfs read access

mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.

Grant search permissions on the oemfs directory, so that the files
within that directory can be read.

Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db

Bug: 17954291
Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d

* commit '0a52df50':
  Give bootanimation access to /dev/snd files so it can use tinyalsa

Bug: 17674304

Change-Id: Ide32833809bca8d3ed8ddc898748e25d7a692319