Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

Conflicts:
	debuggerd.te

healthd performs privileged ioctls on the tty device
when in charger mode. Allow it.

This fixes a bug where off charging mode is forcing the device
to reboot into recovery.

Addresses the following denial:

type=1400 audit(15080631.900:4): avc:  denied  { sys_tty_config } for  pid=130 comm="healthd" capability=26  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13472365

(cherry picked from commit c8012152)

Change-Id: I701ad577c6814b0dafaef1367d0445b47a104f3c

Resolve denials such as:
avc:  denied  { write } for  pid=130 comm="healthd" name="state" dev="sysfs" ino=57 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc:  denied  { read write } for  pid=130 comm="healthd" name="tty0" dev="tmpfs" ino=5677 scontext=u:r:healthd:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit ebc08e82)

Change-Id: Ib72388cc2d192fe78397e3a2a401db08b5b6c267

* commit '9702e493':
  DO NOT MERGE: Adding permissions needed to remove cache

* commit '2a2a4936':
  DO NOT MERGE: Make bluetooth, nfc, radio and shell adb-installable

During removing cache data using Zipper application, I found violation logs.

avc:  denied  { write } for  pid=198 comm="installd" name="cache" dev="mmcblk0p29" ino=81680 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc:  denied  { remove_name } for  pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
avc:  denied  { unlink } for  pid=198 comm="installd" name="downloadfile.apk" dev="mmcblk0p29" ino=82247 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file

Reproduction path is like below
1. Downloading Zipper application from Google Play (I used Zipper 1.9.9.2)
2. Clicking option and clicking "removing cache" button
3. Select "yes"
4. Violation show up

(cherry picked from commit 9cc6d8d5)

Bug: 13450421
Change-Id: I487ccd1d8d58bf2c590af39a7b1eb448c113670e

bluetooth, nfc, radio and shell are not explicitly declared
in installd.te. This prevents applications in those group
from upgrading by "adb install -r".

You can reproduce the issue by following step:
 1. adb pull /system/priv-app/Shell.apk
 2. adb install -r Shell.apk
 3. install failed with the error log blow

[Error in logcat]
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/com.android.shell-1': Permission denied
E/installd(  338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/Shell': Permission denied

[Error in dmesg]
<5>[  112.053301] type=1400 audit(1387412796.071:10): avc:  denied  { create } for  pid=337 comm="installd" name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=lnk_file

This operation fails only if the app belongs to any of the
groups specified in the commit title.

(cherry picked from commit f5e90004)

Bug: 13450421
Change-Id: Ie38d05c1306bebd90b0f15c1d4e1a55f6798d497

Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914

(cherry picked from commit ddde8c29)

Change-Id: I25c90a0f5dadf5f4e9f99cd27cf8740766a21aaa

Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

(cherry picked from commit 495e9d12)

Change-Id: Ie38979416b36b4452375d58baff46f14b78f1bad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* changes:
  allow wpa_cli to work.
  Label /data/misc/wifi/sockets with wpa_socket.

This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

(cherry picked from commit 48b18832)

Change-Id: Ic75095397a11ad715c16a75a7374e9b0d131f3f7

With wpa_supplicant in enforcing, wpa_cli doesn't work.

Denial:

type=1400 audit(1390597866.260:59): avc:  denied  { write } for  pid=3410 comm="wpa_supplicant" name="wpa_ctrl_4852-1" dev="mmcblk0p28" ino=618993 scontext=u:r:wpa:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

After I9e35cc93abf89ce3594860aa3193f84a3b42ea6e and
I51b09c5e40946673a38732ea9f601b2d047d3b62, the /data/misc/wifi/sockets
directory is labeled properly. This change allows the communication
between the su domain and wpa.

Steps to reproduce:
  Start wifi (so wpa_supplicant will run)
  Start wpa_cli - it will hand
  $ adb root
  $ adb shell
  # wpa_cli -g @android:wpa_wlan0

Bug: 12721629
Change-Id: I03170acc155ad122c5197baaf590d17fc1ace6a5

This will ensure that any sockets created in this directory
will default to wpa_socket unless a type_transition is defined.
Define a type transition for system_server to keep its separate
system_wpa_socket type assigned for its socket.  Allow wpa
to create and unlink sockets in the directory.  We leave the
already existing rules for wifi_data_file in place for compatibility
with existing devices that have wifi_data_file on /data/misc/wifi/sockets.

Change-Id: I9e35cc93abf89ce3594860aa3193f84a3b42ea6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 96ff4c05)

Change-Id: Idfd734f07687925c1f35d2629d4b59d46822d0d4

Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're approaching stabilization,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Change-Id: I1467b6b633934b18689683f3a3085329bb96dae1

Image transfer over NFC is broken.

  STEPS TO REPRODUCE:
  -----------------------------------------
  1. Launch Gallery and open any picture
  2. Keep two devices close each other
  3. Tap on 'Touch to Beam' option on sender device and observe receiver device

  OBSERVED RESULTS:
  'Beam did not complete' message showing in Notification window.

  EXPECTED RESULTS:
  Beam should complete successfully and able to share picture through Beam

  ADDITIONAL INFORMATION :
  Device : Hammerhead
  Reproducibility : 3/3

Addresses the following denials:

<5>[ 3030.955024] type=1400 audit(1391625834.066:72): avc:  denied  { call } for  pid=311 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:nfc:s0 tclass=binder
<5>[ 3049.606559] type=1400 audit(1391625852.716:74): avc:  denied  { write } for  pid=26850 comm="id.nfc:handover" name="0" dev="fuse" ino=3086221568 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.606802] type=1400 audit(1391625852.716:75): avc:  denied  { add_name } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.607068] type=1400 audit(1391625852.716:76): avc:  denied  { create } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610602] type=1400 audit(1391625852.716:77): avc:  denied  { remove_name } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610870] type=1400 audit(1391625852.716:78): avc:  denied  { rename } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 12891504

(cherry picked from commit 629c98c2)

Change-Id: I7832cc2b66c88092b05581503e338cf8b6e1c0ec

See http://code.google.com/p/android/issues/detail?id=65339



Further denials were observed in testing and allowed as well.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 208deb33)

Change-Id: I2d4135df916f67fcd3cff8c22429779ba0193b2c

* commit '997680a3':
  bluetooth: allow media_rw_data_file

Allow bluetooth to handle media_rw_data_file file descriptors
sent to it from other processes. Without this, bluetooth
picture / video sharing is broken.

Steps to reproduce:
1. Take few pictures
2. launch gallery and choose a picture/video and click on share and choose
   available BT device and share

Other info from bug report:

- Bluetooth process queries media content provider for a file descriptor,
  with an Uri like "content://media/external/images/media/69"
- Media server resolves the uri to a file on the filesystem, in the case of
  Gallery at "/storage/emulated/0/DCIM/Camera/IMG_20140128_141656.jpg"
- Media server returns the FD over binder to bluetooth
- Bluetooth is unable to read the file backed by the file descriptor.

Fixes Denial:

<5>[  821.040286] type=1400 audit(1390952161.805:11): avc:  denied  { read } for  pid=1348 comm="Binder_3" path="/data/media/0/DCIM/Camera/IMG_20140128_141656.jpg" dev="mmcblk0p23" ino=236246 scontext=u:r:bluetooth:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Bug: 12457805
Change-Id: I1423d06a98416ae4ab19508f0d005a6353acadc4

* commit 'c669667e':
  fix healthd charger mode.

* commit '251ba76b':
  Allow "mkdir /sdcard/foo"

Creation of directories on /sdcard was not allowed for the
shell user. Fixed.

Steps to reproduce:

adb shell
cd /sdcard
mkdir foo

Addresses the following denial:

<5>[  446.361215] type=1400 audit(13427374.189:13): avc:  denied  { create } for  pid=3264 comm="mkdir" name="foo" scontext=u:r:shell:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir

Bug: 12778268
Change-Id: I5a91b7581fe7e97fbf3caeed9fdf74981e49c58e

Healthd has an optional "charger" mode. The device boots into a
minimally running mode, and healthd displays the battery indicator.

Without this patch, when a manta device boots into charger mode,
the screen will never turn off and the battery indicator will not move.

From reviewing the healthd code, it looks like this may affect lots
of devices, not just manta. I'm adding this change to the generic
policy.

Steps to reproduce:

1) Make sure the device is unplugged.
2) Boot into a normal system.
3) Shutdown the system normally using the power button.
4) After shutdown, plugin the power cord.
5) Device will boot into charger mode. Battery icon will display.
6) Press the button to reboot into a normal mode.
7) Examine /proc/last_kmsg and look for denials.

Addresses the following denials:

[    3.908457] type=1400 audit(1390866386.620:3): avc:  denied  { read write } for  pid=98 comm="charger" name="fb0" dev="tmpfs" ino=4286 scontext=u:r:healthd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
[    3.909085] type=1400 audit(1390866386.620:4): avc:  denied  { open } for  pid=98 comm="charger" name="fb0" dev="tmpfs" ino=4286 scontext=u:r:healthd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
[    3.909749] type=1400 audit(1390866386.620:5): avc:  denied  { ioctl } for  pid=98 comm="charger" path="/dev/graphics/fb0" dev="tmpfs" ino=4286 scontext=u:r:healthd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
[    4.889857] type=1400 audit(1390866387.605:6): avc:  denied  { read } for  pid=98 comm="charger" name="input" dev="tmpfs" ino=4153 scontext=u:r:healthd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
[    4.890873] type=1400 audit(1390866387.605:7): avc:  denied  { open } for  pid=98 comm="charger" name="input" dev="tmpfs" ino=4153 scontext=u:r:healthd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
[    4.891949] type=1400 audit(1390866387.605:8): avc:  denied  { search } for  pid=98 comm="charger" name="input" dev="tmpfs" ino=4153 scontext=u:r:healthd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
[    4.892677] type=1400 audit(1390866387.605:9): avc:  denied  { read } for  pid=98 comm="charger" name="event2" dev="tmpfs" ino=4279 scontext=u:r:healthd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
[    4.893576] type=1400 audit(1390866387.605:10): avc:  denied  { open } for  pid=98 comm="charger" name="event2" dev="tmpfs" ino=4279 scontext=u:r:healthd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
[    7.288104] type=1400 audit(1390866389.999:12): avc:  denied  { execmem } for  pid=98 comm="charger" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=process
[    7.288574] type=1400 audit(1390866389.999:13): avc:  denied  { execute } for  pid=98 comm="charger" path="/dev/ashmem" dev="tmpfs" ino=4113 scontext=u:r:healthd:s0 tcontext=u:object_r:ashmem_device:s0 tclass=chr_file

Change-Id: I0118e08514caa0ad11d2aa7562c9846a96779a21

* commit 'dffe634b':
  Make drmserver enforcing.

* commit '19351738':
  Move adbd into enforcing (all build types)

* commit 'fed8a2a4':
  Remove transition / dyntransition from unconfined

adbd was only in enforcing for user builds. Commit
Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6 allows us to move
it into enforcing for everyone. Do it.

Change-Id: Ie1a3e5361c891d2c9366e11f35699e3146cc3d88

Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29

Change-Id: I7c1d2fc7b4d5a962f872d5f032b6d9e31efe7a24

* commit '76d14766':
  Allow all appdomains to grab file attributes of wallpaper_file.

* commit '5c9c3121':
  Move shell into enforcing for everyone.

Change-Id: Id1eb5f7524181aaa17d0ce26219167a5b05cfd4f

* commit 'd233350b':
  Support running adbd in the su domain.