1b1d133b added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.

Delete the unnecessary rules.

[1] https://android.googlesource.com/platform/system/sepolicy/+/96b62a60c2ccae777fdcabe7d2ed28b52056860b/private/su.te#19
[2] https://android.googlesource.com/platform/system/sepolicy/+/96b62a60c2ccae777fdcabe7d2ed28b52056860b/public/su.te#42

Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f

Test: vold is able to create directories, ag/5534962

Bug: 116528212

Change-Id: I61dd8802c13b1c42d334a80b678ca6a877848fc2

We lose git history with this, but imo the rules being moved don't have
much reference material. Also, as we write more neverallow rules for
CKI, I'd like to consolidate them in private/coredomain.te

Test: m selinux_policy
Change-Id: I6d0c3d2af0c4dfe7dd3cb1d8836b4b5e00db37a4

kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde

Used by
https://android.googlesource.com/platform/external/ipsec-tools/+/bf16586a33b1432a11526754523fceb62944dc1c/main.c#116

Addresses the following denial:

audit(0.0:8126): avc: denied { ioctl } for comm="racoon" path="/dev/tun" dev="tmpfs" ino=25329 ioctlcmd=0x54ca scontext=u:r:racoon:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles.
Change-Id: Ia26077d4a9e810c7006d4b979d6b7e9ca154b485

Bug: 78815803
Test: builds, boots
Test: manual: adb shell idmap2 create ...
Test: manual: adb shell ps | grep -e idmap2d
Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d

Commit 619c1ef2 ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332

These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Test: manual OTA on retrofit device
Bug: 118506262
Change-Id: I3dd3c99d86d63f97bcd393cff374e27f5ed2da2e

BLKDISCARD is used by vold while wiping block devices
https://android.googlesource.com/platform/system/vold/+/b2455747a92957d109a050b8f3e394d87d085086/Utils.cpp#619

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Vold indirectly uses this when executing /system/bin/newfs_msdos.
Arguably this is a bug in newfs_msdos, as BLKGETSIZE64 should be used
instead.
Code: https://android.googlesource.com/platform/external/newfs_msdos/+/0c7e133c7fde67911efb7bd920d4f0ab0c269af8/mkfs_msdos.c#845

Addresses the following denials:

audit(0.0:24): avc: denied { ioctl } for comm="Binder:588_2" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1277 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
audit(0.0:25): avc: denied { ioctl } for comm="newfs_msdos" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1260 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Bug: 119562530
Change-Id: Ib7198daf150d6f2578545a6a402e0313069ea2b4

This enables native wireless interface configuration at boot.

Bug: 36120314
Test: adb shell ifconfig -a | grep wlan
Change-Id: I797c0c8a8645d690d311f42cec3998b2f4cee77b

Test: m
Test: flash sailfish
Test: profile system_server

Change-Id: I577793af655146ee91be86bb286fcf9d6e6d081d

It will not end when other words appeared because of the wrong bound and variable,
rule_map->length will exceed the actual length in the rule_map_new function,
it will lead to crash in the rule_map_validate function because of strcmp(NULL, str).

Test: 1.add "user=shell doman=system_app" to private/seapp_contexts
      2.exec "checkseapp private/seapp_contexts" and it will not be crashed

Change-Id: I600206448b38cf2c9b61f9141b40f920b05696c8
Signed-off-by: liwugang <liwugang@xiaomi.com>

It was <name>_file_context before. Changing for better readability.

Bug: 119034475
Test: m apex.test com.android.tzdata com.android.runtime
Change-Id: Ic9d6479dfed56ac474c574343a38b5f73dde3c05

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I827a108bd118090542354360a8c90b295e6a0fef

For centralized development of sepolices, file_contexts files for APEXes
are all moved to under /system/seplicy.

Bug: 119034475
Bug: 113373927
Test: m apex.test com.android.tzdata com.android.runtime com.android.media
Change-Id: I9bf4874793db4dbdb75cbd759ae95f72d7281007

This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I65dffda9806e0d627978ffdd392e3deb625149b7

There is now an incident section for statsd output data. These selinux
changes must be made for incident to call dump on statsd to get the
data.

Bug: 115678461
Test: adb shell incident -b 3023
and confirm that a valid statsd section is obtained

Change-Id: I761389c160ab3ab6c24556813a1a31088c0f5137

He's already listed as an authorized +2er in
https://android-review.googlesource.com/admin/groups/810,members

Test: none
Change-Id: Ifff6b3f8353d562b3386d0c2e3b575154f173e23

mtd_device does not label any /dev node present on walleye, and the only
permission to that type is:
allow hal_telephony_server mtd_device:dir search;
I suspect there is no need to keep mtd_device around.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: If74b1258b21edeca38c8b7dc07a3a10b751a7e85

Test: ensure no build failures;
add RoleManagerService as a boot phase
ensure no SecurityException in logcat on boot
Change-Id: Ia0803c0fb084fe2b12f5c20f5e46354d0dd1aedf

system/sepolicy commit 619c1ef2 started
enforcing ioctl whitelisting requirements for /dev/tun. Bluetooth needs
the ability to issue TUNSETIFF on /dev/tun, so allow access. We also
allow access to TUNGETIFF for good measure.

Addresses the following denial:

avc: denied { ioctl } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=20047 ioctlcmd=0x54ca scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles
Change-Id: Ie4c138fc774373cec266c59de6663db147d60423

No coredomain domain has access to these types and corresponding /dev
nodes don't exist on the device:

audio_seq_device
audio_timer_device
full_device
i2c_device
vcs_device

Bug: 110962171
Test: m selinux_policy
Test: boot walleye
Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672