This leaves only the existence of netdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with netdomain_current
      and *_current attributes targeted when netdomain rules reference
      public types.
Bug: 31364497
Change-Id: I102e649374681ce1dd9e1e5ccbaaa5cb754e00a0

Test: Verify that HTTP and HTTPS connections from ephemeral apps do not
cause denials.
Change-Id: I0ce25602906e63ec55d5b5869445f2aec10900cb

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

(cherry picked from commit 6ba383c5)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 96ff4c05)

Change-Id: Idfd734f07687925c1f35d2629d4b59d46822d0d4

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change I4be1c987a5d69ac784a56d42fc2c9063c402de11 removed all
netdomain allow rules at the same time domains were made unconfined.
Prior to that change, any domain that used the net_domain() macro
would be granted permissions required to use the network via these rules.
The change made the netdomain attribute unused in any rules, thereby
rendering the net_domain() calls pointless and requiring the allow
rules to be duplicated for any domain requiring network access. There
are two ways to resolve this inconsistency:
1.  Restore the netdomain rules as in this change.  In that case,
some rules in app.te can be removed as they are redundant with these rules.
-or-
2.  Completely remove the netdomain attribute, the net_domain() macro,
and all calls to it.  In that case, each domain that requires network
access will need to duplicate these rules or the necessary subset in order
to function.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ia54f0cd0bbda5c510423b1046626bd50f79ed7b6

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11