Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

No "granted" messages for the removed permissions observed in three
months of log audits.

Bug: 28760354
Change-Id: I2b45284893e150575992befeef48e1bd53a2fba2

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

No obvious denials on flounder, the only device where swap
is used.

Change-Id: I5747ad2fd267cb71cbc1f69ffaec6b1e7db9ec1f

needed to get to the swap device.

Addresses the following denial:

  avc:  denied  { search } for  pid=149 comm="mkswap" name="block" dev="tmpfs" ino=9947 scontext=u:r:toolbox:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0

Change-Id: I0c897540f1c7950738622a013121a050a1f32b2f

Addresses the following denials:

  avc:  denied  { getattr } for  pid=148 comm="mkswap" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:toolbox:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
  avc:  denied  { ioctl } for  pid=148 comm="mkswap" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:toolbox:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1

Change-Id: I88c88493cd5f523b5b26a8028b421b3565aa5751

Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>