Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8

Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976

Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3

  libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
  Error while expanding policy
  make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1

Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5

The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.

Addresses the following denials:

  avc:  denied  { relabelto } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
  avc:  denied  { setattr } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94

Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156

Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.

Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac

We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba

Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f

The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.

Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf

Needed to support https://android-review.googlesource.com/80871

Change-Id: Iba569c046135c0e81140faf6296c5da26a243037

Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e

Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28

Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.

Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb

Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.

Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140

Remove the allow rule for default services in
binderservicedomain.te so we will need to whitelist any
services to be registered.

Change-Id: Ibca98b96a3c3a2cbb3722dd33b5eb52cb98cb531

This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.

Resolves denials, in 3rd party apps, such as:

avc:  denied  { setopt } for  pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket

Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>

Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.

Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.

Addresses the following denial:

  I/auditd  ( 5087): type=1400 audit(0.0:76): avc:  denied  { execute } for  comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678

Adding services to service_contexts for the
pending commits Icf5997dd6a6ba5e1de675cf5f4334c78c2c037f1
and Ibe79be30b80c18ec45ff69db7527c7a4adf0ee08.

Change-Id: Ie898866d1ab3abba6211943e87bcec77ba568567

Add missing services related to battery, bluetooth, time,
and radio to service_contexts.

Change-Id: I8bf05feb173d49637048c779757013806837fede

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc

dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.

Addresses the following denial:

  <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0

Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe

system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.

Allow it.

Addresses the following errors which have been showing up
in logcat:

  W/ProcessCpuTracker(12159): Skipping unknown process pid 1
  W/ProcessCpuTracker(12159): Skipping unknown process pid 2
  W/ProcessCpuTracker(12159): Skipping unknown process pid 3

Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512

Change-Id: I004ae9aee23a28cb4975fcee51d24eb1a654f0b7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Address denials such as:
avc: denied { write } for pid=2587 comm="kworker/u:4" path="/storage/emulated/0/Download/AllFileFormatesFromTommy/Test3GP.3gp" dev="fuse" ino=3086052592 scontext=u:r:kernel:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file permissive=0

Change-Id: I351e84b48f1b5a3361bc680b2ef379961ac2e8ea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Bug: 15835289

Property being set: sys.boot_from_charger_mode. If healthd attempts to write
this property without the policy changes we get the following audit message:

[   45.751195] type=1400 audit(1403556447.444:7): avc:  denied  { write } for pid=99 comm="charger" name="property_service" dev="tmpfs" ino=3229 scontext=u:r:healthd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

These changes are needed to support the following system/core commit:
faster booting from charger mode
* Ieec4494d929e92806e039f834d78b9002afd15c4

Change-Id: I9f198cd73c7b2f1e372c3793dc2b8d5ef26b3a0f

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.

In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.

Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.

Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a

execmod is checked on attempts to make executable a file mapping
that has been modified.  Typically this indicates a text relocation
attempt.  As we do not ever allow this for any confined domain to
system_file or exec_type, we should not need it for unconfineddomain
either.

Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>