system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879

Otherwise we crash on a null pointer exception.

Test: Reference a non-existent type in test code and make sure
    the test doesn't crash.

Change-Id: I5839d2740d51c0df7a8909a3f8430850ae1b2675

system/sepolicy/public/attributes defines exec_type as:

  # All types used for domain entry points.
  attribute exec_type;

The linker is not a standalone executable, but rather, used by other
executables to resolve shared libraries. It isn't, and must never be, an
allowed entrypoint for a domain.

Remove the exec_type attribute from system_linker_exec.

Test: Device compiles and boots, no obvious problems running the system.
Change-Id: I8f2f608bc1a642193524396f46b22933faac5468

All the *.conf.dontaudit files are generated from *.conf
with the command of 'sed '/dontaudit/d' $@ > $@.dontaudit',
but this command can not be applied to multi-line dontaudit statement.

Test: Set plat_policy.conf.dontaudit as the input_file parameter of
checkpolicy tool, then selinux syntax error will occur during building.

Change-Id: I281de923d8a5f0b46256ec7de4df12a1c1d7e061

Do not attempt to build odm_sepolicy.cil if BOARD_ODM_SEPOLICY_DIRS is
not defined. Attempting to do so will create an empty file, which causes
build problems when
https://github.com/SELinuxProject/selinux/pull/100/commits/0c6ea1e812fbe75aef03ced077d4f4cd26d982fc
is applied.

Test: "cd system/sepolicy && mma -j55" succeeds
Test: "make checkbuild" succeeds
Change-Id: Iefc458bddff3d08e5fcb86f8be3cad16d7e36e73

Fixes:
avc: denied { read } for comm="init" name="linker_asan64" dev="sda22" ino=1833
scontext=u:r:init:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=lnk_file
permissive=0

Bug: 116486312
Test: adb unroot && adb shell ls -l /system/bin/linker_asan
Change-Id: I754daaf3576e83d516cc9189b8be04dcc41bbc5c

Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3

Allow vold to run exFAT filesystem check.

Test: build, mount exFAT volume
Bug: 80202067
Change-Id: I68f3438de89246e806cebe483f37e31c68aaa3d7

Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728

Avoid generating build time noise so that real errors stand out.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

Test: Info messages no longer show up at build time.
Bug: 115998215
Change-Id: I33c18e2c7d77ed1bb4132debe13de2ae0907c34c

Bug: 111461540
Bug: 112570477

Test: builds
Change-Id: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
Merged-In: Icc68720ebe931c2d917703b2d34aa0f4eec3f549

Bug: 115741899
Test: m selinux_policy
Change-Id: I5d80a1d9bd5500a82ebf282fb02f0db3a0b0a4c1

...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e

This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4

kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

This allows the trace producer daemon to snapshot counters at
high frequency in the trace. As usual for Perfetto, this data is
NOT made available to arbitrary apps but only to an extremely
limited subset of processes governed by selinux rules (currently
shell and statsd).

Bug: 115956288
Change-Id: I7e1bfda4b568b9bac9012b198ecbb998da4f773d

In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f

Test: Build.
Change-Id: I5c02916dfa3b2e8d5ba2bc586d05a69bd1f1254f
Merged-In: I150bc74b13a77f00a7e8b31a6c2edf9654bdbe59

Test: USB device plug/unplug check for avc: denied
Test: AudioFlinger dumpsys
Bug: 115722843
Change-Id: I0c4186f97a46e41e9f2d75b3f324b6b85399e2b5

Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e

Bug: 9496886
Bug: 109758967
Test: atest HostsideVpnTests
Change-Id: I1716d9c740b374b861e691b31ab271c681cf6bff

Recovery-persist now parses the file /cache/recovery/last_install; and
unlinks it after reporting metrics. Sets up the permission accordingly;
also grants access to /cache if it's a symlink (useful for a/b devices.)

Denials:
recovery-persis: type=1400 audit(0.0:7): avc: denied { write } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:7): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { read } for name="cache"
dev="dm-0" ino=2991 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0

Bug: 114278989
Test: checks the metrics report on devices with /cache
Change-Id: Iacb5606710e26922a9fbb2d2abacf8333d6df084

Currently, crash_dump has the following line:

  read_logd(crash_dump)

which is a macro defined as:

  #####################################
  # read_logd(domain)
  # Ability to run logcat and read from android
  # log daemon via sockets
  define(`read_logd', `
  allow $1 logcat_exec:file rx_file_perms;
  unix_socket_connect($1, logdr, logd)
  ')

which grants both the ability to talk directly to a logd socket, as well
as the ability to execute the /system/bin/logcat command line tool.

This is unneeded (and problematic) for crash_dump. Crash_dump uses
standard, vndk approved libraries to talk directly to logd. It never
exec()s the (non-vndk approved) logcat command.

As crash_dump is a vndk approved component and executed by vendor code,
allowing this transitively makes /system/bin/logcat a vndk component
too, which we want to avoid.

Instead of using the read_logd() macro, just directly add the
unix_socket_connect() call. This allows talking directly to logd, but
blocks the use of the (unneeded) /system/bin/logcat executable.

Test: crasher binary still works when executed from adb shell
Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345

Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa

Test: manual test

BUG: b/112432890
Change-Id: If703cd25a2c0864ffd49bfdc83821fae291974b5