/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.

We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system.  We should not have to allow it to untrusted_app.

Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.

Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In 61dc3507, I forgot to allow
system_server to run getopt/getattr on the zygote socket.

Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6

The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.

Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.

Addresses the following denials:

18.352783   type=1400 audit(1386374111.043:7): avc:  denied  { getattr } for  pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088   type=1400 audit(1386374111.043:8): avc:  denied  { getopt } for  pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251   type=1400 audit(1386374111.524:9): avc:  denied  { getattr } for  pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557   type=1400 audit(1386374111.524:10): avc:  denied  { getopt } for  pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419   type=1400 audit(1386374111.734:11): avc:  denied  { getattr } for  pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724   type=1400 audit(1386374111.734:12): avc:  denied  { getopt } for  pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830   type=1400 audit(1386374111.874:14): avc:  denied  { getattr } for  pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105   type=1400 audit(1386374111.874:15): avc:  denied  { getopt } for  pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473   type=1400 audit(1386374111.924:16): avc:  denied  { getattr } for  pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9

Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd

Add a placeholder domain for inputflinger.
Mark it initially unconfined and enforcing.

Change-Id: I433fd9e1954486136cb8abb084b4e19bb7fc2f19

This addresses the review comments from
https://android-review.googlesource.com/#/c/69855/

Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f

And allow any SELinux domain to read these timezone
related files.

Addresses the following denial:
<5>[    4.746399] type=1400 audit(3430294.470:7): avc:  denied  { open } for  pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86

Alphabetize the entries for the /data/misc subdirectories.

Change-Id: I3690085cbb99c225545545668dedd66341a14edb

Change-Id: I9d87c35cc8d4ffffab4f7c28f3d3d43f85b10123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Leave the domain permissive initially until it gets more testing.

Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses the following denials:

<5>[  170.166218] type=1400 audit(1386789488.029:57): avc:  denied  { getattr } for  pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166356] type=1400 audit(1386789488.029:58): avc:  denied  { execute } for  pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166841] type=1400 audit(1386789488.029:59): avc:  denied  { read open } for  pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file
<5>[  170.166962] type=1400 audit(1386789488.029:60): avc:  denied  { execute_no_trans } for  pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file

Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5

Settings > Developer Options > Profile GPU Rendering was broken,
as it couldn't set a debug.* system property.

In addition, system_app wasn't allowed to access init's property_service socket.

Both fixed.

In addition, allow system_app to write to radio_prop.

Fixes the following denials:

<5>[  170.769658] type=1400 audit(1386722177.029:57): avc:  denied  { write } for  pid=4142 comm="ndroid.settings" name="property_service" dev="tmpfs" ino=7457 scontext=u:r:system_app:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
<4>[  170.770064] avc:  denied  { set } for property=debug.hwui.overdraw scontext=u:r:system_app:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<3>[  170.770148] init: sys_prop: permission denied uid:1000  name:debug.hwui.overdraw

Bug: 12037026
Change-Id: I5e879ab339e68e9e4715266fc8a698ab6ad5756e

Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc:  denied  { execute_no_trans } for  pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file

While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.

Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.

Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.

Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I4b3dda1d08e8bfc523493f4b8d79a4cc3e7e7787
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.

  STEPS TO REPRODUCE:
  1. Launch Chrome
  2. From menu tap print and observe
        OR
  1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
  2. Select print

Addresses the following denials:

<5>[  122.352797] type=1400 audit(1386363998.374:18): avc:  denied  { write } for  pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248363] type=1400 audit(1386363999.264:19): avc:  denied  { getattr } for  pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[  123.248620] type=1400 audit(1386363999.264:20): avc:  denied  { write } for  pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file

Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c

* commit 'fea6e66f':
  Allow kernel domain, not init domain, to set SELinux enforcing mode.

As per the discussion in:
https://android-review.googlesource.com/#/c/71184/



init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '9e8b8d9f':
  Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."

The build is broken. Reverting temporarily to fix breakage.

libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....


This reverts commit bf12e225.

Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85

* commit 'bf12e225':
  Allow kernel domain, not init domain, to set SELinux enforcing mode.

As per the discussion in:
https://android-review.googlesource.com/#/c/71184/



init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '2b392fcc':
  Move lmkd into it's own domain.

* commit '7adb999e':
  Restrict the ability to set usermodehelpers and proc security settings.

lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd.  ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10

Change-Id: I5db2b0897aa43ccefad51b1b7fcfd0d643249384
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>