1b1d133b added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be

The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

  type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1

Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4

* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e86)

Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5)

Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102

Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947

Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

VTS testing is intended to be run on userdebug builds with:
1. Tests running in the permissive su domain.
2. HALs running in enforcing mode (i.e. setenforce 1).

As such su needs to be a client to every HAL.

Example:
hal_tetheroffload_server has permission to receive and use a
netlink_netfilter_socket from hal_tetheroffload_client (currently
system_server). Before declaring su as hal_tetheroffload_client
VTS tests were failing with the following denials:

avc: denied { setopt } for comm="HwBinder:843_1"
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socket
avc: denied { read write } for comm="VtsHalTetheroff"
path="socket:[216191]" dev="sockfs" ino=216191
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socket
avc: denied { getattr } for comm="HwBinder:843_1"
scontext=u:r:hal_tetheroffload_default:s0 tcontext=u:r:su:s0
tclass=netlink_netfilter_socketsu acting as client to hal_tetheroffload_server passes it
a netlink_netfilter_socket, permissions which are already granted to
hal_tetheroffload_client

With su declared as hal_tetheroffload_client tests pass as expected.

Bug: 36792117
Test: build
Change-Id: If2d3978eee0f96e50ad0c0cc6afc0f18b2d264f2

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 35e308cf)

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

(preemptive cherry-pick of commit: 2f1c7ba7
to avoid merge conflict)

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc

For example, for listing vndbinder services
using 'adb shell service -v list'

Test: adb shell service -v list
Bug: 36987120
Change-Id: Ibf3050710720ae4c920bc4807c9a90ba43717f3b

Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea0)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Postinstall testing requires to mount a filesystem and relabel its
files to postinstall_file. While this task will normally be performed
by the update_engine daemon running in a domain of the same name, we
also test this workflow with sample images from /data/nativetest in
eng builds.

This hides the log messages from the 'su' context when mounting and
relabeling a filesystem onto the postinstall mountpoint.

Bug: 27272144
Bug: 26955860
TEST=m; update_engine_unittests pass Postinstall tests.

Change-Id: Id39aa1afdc11a6f59434873e68a53cbcb6ae363f

su is in permissive all the time. We don't want SELinux log
spam from this domain.

Addresses the following logspam:

  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file
  avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0

The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".

Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.

Addresses the following denials:

  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1

Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

Addresses the following denial:

  avc:  denied  { list } for service=NULL scontext=u:r:su:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Change-Id: I70449b93307378481c986a60ca593eb2fc2de2c5

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75

Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

Addresses the following auditallow messages:

  avc: granted { find } for service=accessibility scontext=u:r:su:s0 tcontext=u:object_r:accessibility_service:s0 tclass=service_manager
  avc: granted { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager
  avc: granted { find } for service=package scontext=u:r:su:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager
  avc: granted { find } for service=user scontext=u:r:su:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager
  avc: granted { find } for service=window scontext=u:r:su:s0 tcontext=u:object_r:window_service:s0 tclass=service_manager

Change-Id: Ie58ad3347e9ef1aacd39670cfec7d095875e237b

Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb

The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9

Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.

  <6>[   64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
  <6>[   64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1

Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45b)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7

Somehow net_domain(su) showed up twice in internal master.
Delete the duplicate line.

Change-Id: I15c102850946c30c2322d6d4edcf59407d430531