There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Restore the old labeling until we are able to fix the underlying
problem.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

This reverts commit 4df57822.

Bug: 112357170
Test: policy compiles
Change-Id: I38ba75c92c9c46e6a1fdbc02e3dc80c63adccaa8

There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Drop the auditallow rule to avoid logspam.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

Addresses the following audit logspam:
  type=1400 audit(0.0:117): avc: granted { execute } for comm=4173796E635461736B202331 path="/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/oat/arm/DynamiteLoader.odex" dev="dm-0" ino=5775 scontext=u:r:untrusted_app:s0:c111,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.android.chrome

Additionally, this removes auditallow statements for older untrusted
apps. Lots of big apps are executing files from their home directory.
Additional restrictions in this area will need to be tied to API
versions.

Addresses the following audit logspam:
  type=1400 audit(0.0:619): avc: granted { execute } for comm="na:notification" path="/data/data/com.facebook.katana/lib-xzs/libbreakpad.so" dev="dm-3" ino=28333 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.katana
  type=1400 audit(0.0:129): avc: granted { execute } for comm="ticlock" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1239): avc: granted { execute } for comm="Analytics-Norma" path="/data/data/com.facebook.orca/lib-xzs/libchipsetmerged.so" dev="dm-3" ino=50243 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.orca
  type=1400 audit(0.0:58): avc: granted { execute_no_trans } for comm="sh" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1948): avc: granted { execute_no_trans } for comm="sh" path="/data/data/com.mxdata.tube.Market/files/osmcore" dev="sda13" ino=2752651 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.mxdata.tube.Market
  type=1400 audit(0.0:2875): avc: granted { execute_no_trans } for comm="ThreadPoolManag" path="/data/data/com.amazon.kindle/files/hardwareTest" dev="sda13" ino=1935346 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.amazon.kindle

This reverts commit 4738b93d.

Bug: 112357170
Test: policy compiles

The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

  type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1

Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations.  Add this
permission to system_server for data file access,
which is used in scenario such as "adb install" of
APK's.

test: no longer see SELinux map denial on "adb install"
Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed

Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Test: builds
Test: vts
Bug: 111655771
Change-Id: Iabad3d124bf476cb624addf7d7898e0c2894d550

This is needed to dump ANR traces for the process.

Bug: 111604912
Test: adb shell am hang
Change-Id: Icadc2de95a12818fe623271d1afb955843ccddbf

Certain pm.* properties, which are especially needed for
Go-targets, are not listed in property_contexts.
Init will not be able to set these properties on bootup
without the correct selinux contexts assigned to the
properties.

BUG: 111738816

Test: In selinux-enforcing mode, on bootup, these
      properties are now correctly set by init.

Change-Id: I6ea0fb229c93725e2987b1e021d5804a132d093d

Test: n/a
Change-Id: I929772fa36da6b96494d14cfa48b47dcc76cccd4

/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices.  Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.

Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1

Text relocation support was removed from the linker for apps targeting
API >= 23. See
https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23

However, the security policy was not updated to remove the execmod
permission at that time, since we didn't have support for targeting
SELinux policies to API versions.

Remove execmod permissions for apps targeting API 26 or greater. The
linker support was removed, so it's pointless to keep around the SELinux
permissions.

Retain execmod support for apps targeting API 25 or lower. While in
theory we could remove support for API 23-25, that would involve the
introduction of a new SELinux domain (and the associated rule
explosion), which I would prefer to avoid.

This change helps protect application executable code from modification,
enforcing W^X properties on executable code pages loaded from files.
https://en.wikipedia.org/wiki/W%5EX

Test: auditallow rules were added and nothing triggered for apps
      targeting API >= 26. Code compiles and device boots.
Bug: 111544476

Change-Id: Iab9a0bd297411e99699e3651c110e57eb02a3a41

/vendor/bin/bcc being a dependency of renderscript should be labeled as
same_process_hal_file. To facilitate that we relax neverallow rules for
executing same_process_hal_file from coredomain.

See details on /vendor/bin/bcc:
https://source.android.com/devices/architecture/vndk/renderscript

Bug: n/a
Test: build-time change
Change-Id: Ie996fb863090bf08b3d3ef653da827d0b22937d7

Bug: N/A
Test: boot
Change-Id: I67e3554383977c3fb5e89f236838a9cb39fb257e

Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.

Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9

This reverts commit 0f11ffcc.

Reason for revert: libmono crashes

Bug: 112292089
Bug: 111544476
Test: policy compiles, device boots
Change-Id: I064090aa9337cf17b80cd2c9af9342df851a3b27

Bug: 112104996
Change-Id: Icf411d8b04e12dd33dd82a26328b4156585cb5ff

Bug: 112292714
Change-Id: I0026c13fd4335e0365496bc00c26021d83f3c39d
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>

am: 4738b93d

Change-Id: I4278bd3d4e7786be716324d1817a81b6c19eec2e

am: 41b21ee9

Change-Id: I85087c37b7c575e9b50d7090d155281d4f7c4f74

Executing files from an application home directory violates
W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
from a writable file) and is an unsafe application behavior. Test to see if we
can get rid of it and establish some baseline metrics.

Test: device boots and no obvious problems.
Change-Id: I756c281fcbf750821307327642cc0d06605951b0

As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6

am: 8b2c8580  -s ours

Change-Id: If21fba6ab5506a8ba74a55d4cd816c218b4078b1

(cherrypicked from commit f2afca7c)

Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5
Merged-In: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5

Bug: None
Test: I solemnly swear I tested this conflict resolution.
Change-Id: Ic6dd370d6549c9dd1eb1e690c1c2f2fa441624b9

am: c5601de4

Change-Id: Ie61645bd9b276f67e96ac7f823c1a1048a35ef8e

am: 938ab05d

Change-Id: If632608a9e7acc6e59b468674207bc80a4833a26

Test: boot hikey
Change-Id: I8f26f858af8ccde1d7f4b346966bbb6bbeab5a92

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

Commit 23c9d91b introduced a new type
called privapp_data_file and added rules necessary to preserve
compatibility. However, that change did not relabel any existing files,
so effectively the change was a no-op.

This change performs the switch, relabeling priv-app's /data/data files
from app_data_file to privapp_data_file. Due to the compatibility rules
added in 23c9d91b, there should be no
noticeable effect from this change.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Merged-In: I9a476726bf01f4bcc7952d11fd57dba803a9fd8d
Change-Id: I23a26cd3906fc43cbd225c05c3a2abd3cab8bd06