Test: builds and boots on Bullhead with no selinux audit messages.

Bug: 29795149
Bug: 30400942
Change-Id: I93295424a03488234b233d5e2f86d3bf329e53fd

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

(cherry picked from commit c55cf17a)

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

Bug: 28746284
Change-Id: I59aa235ecba05e22aaa531e387a77f47267ac9ae

Applications should not access /dev/input/* for events, but
rather use events handled via the activity mechanism.

Change-Id: I0182b6be1b7c69d96e4366ba59f14cee67be4beb
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983

Only used by Flounder.

Bug: 8435593
Change-Id: I06655e897ab68a1724190950e128cd390617f2bd

Address denials:
avc: denied { read } for name="meminfo" dev="proc" ino=4026544360 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

Bug: 28722489
Change-Id: I3c55bd95bb82ec54e88e9e9bc42d6392a216a936

(cherry-picked from commit cc8a09f5)

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

To avoid audit messages that arise because there is no way to create a
file without also trying to open and read it.

Bug: 28241500
Change-Id: Id1daaf190b36eda9775e00701cd7241991f65a2a

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

This directory is no longer used.

Change-Id: Ic32a7dd160b23ef8d1d4ffe3f7b1af56c973d73c

Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368, and from untrusted_app in
cbf7ba18.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

Bug: 27511071
Change-Id: I99ea21638a4df8ad1f815d91bb970e1f8f143030

- Required to query cpusets information.

Bug: 22855417
Bug: 27381794
Bug: 27498731

Change-Id: I6d192aad2135d99a6c9cdaf97696b0822bd21897

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347ee)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497

Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573
Change-Id: I07724d8d68ffcdda691f1179787a4f40a0ab1c73

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

(cherry-pick from commit: 0b80f4dc)

Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

Change-Id: Ia7ad6264d85490824089b5074bf9c22303cc864a

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6

Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496

Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3

Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38

Strengthen neverallow rule to enforce that no apps may write to
system_data_file - the default label for /data/

Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.

avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file

Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7

and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7

su is in permissive all the time. We don't want SELinux log
spam from this domain.

Addresses the following logspam:

  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0