Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2

ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8

/proc/interrupts may be dumped by dumpstate HAL if required.

Bug: 36486169
Test: 'adb shell bugreport' on sailfish

Change-Id: Ifc41a516aeea846bc56b86b064bda555b43c58ed
Signed-off-by: Sandeep Patil <sspatil@google.com>

Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c

Test: no neverallows triggered
Bug: 36494354
Change-Id: I52e21a9be5400027d4e96a8befdd4faaffb06a93

This is a follow-up to 93391686
which added both
hal_client_domain(cameraserver, hal_graphics_allocator) and
binder_call(cameraserver, hal_graphics_allocator). The latter
binder_call rule is no longer needed because it is automatically
granted by virtue of cameraserver being marked as a client of
Graphics Allocator HAL --
see 49274721.

Test: Take a photo (both HDR and conventional) using Google Camera
Test: Record video using Google Camera
Test: Record slow motion video using Google Camera
Test: No denials to do with cameraserver and hal_graphics_allocator*
Bug: 34170079
Change-Id: If93fe310fa62923b5107a7e78d158f6e4b4d0b3a

HALs are intended to be limited responsibility and thus limited
permission. In order to enforce this, place limitations on:
1. What processes may transition into a HAL - currently only init
2. What methods may be used to transition into a HAL - no using
   seclabel
3. When HALs exec - only allow exec with a domain transition.

Bug: 36376258
Test: Build aosp_marlin, aosp_bullhead, aosp_dragon. Neverallow rules
      are compile time assertions, so building is a sufficient test.

Change-Id: If4df19ced730324cf1079f7a86ceba7c71374131

All previous users of this macro have been switched to
hal_server_domain macro.

Test: no hal_impl_domain in system/sepolicy/ and device/**/sepolicy
Test: mmm system/sepolicy
Bug: 34170079
Change-Id: I4a71b3fd5046c0d215b056f1cae25fe6bda0fb45

Test: Google camera app snapshot/record/
      slow motion recording
Bug: 36383997
Change-Id: I565fb441aec529464474e0dd0e01dbfe0b167c82

This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.

Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).

Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
      motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936

Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.

Test: Device boots, no denials to do with hal_graphics_allocator
      (also, removing the binder_call(hal_graphics_allocator_client,
      hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079

Change-Id: I5c64d966862a125994dab903c2eda5815e336a94

This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5

This patch fixes Gatekeeper HAL rules.

Bug: 34260418
Test: Device boots with gatekeeper_hal using hwbinder and
      gatekeeperd does not fall back to software.
Change-Id: I6aaacb08faaa7a90506ab569425dc525334c8171

This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf

The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.

Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602  3809  3809 I mtpd    : Starting pppd (pppox = 9)
03-17 15:41:22.628  3811  3811 I pppd    : Using PPPoX (socket = 9)
03-17 15:41:22.637  3811  3811 I pppd    : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639  3811  3811 I pppd    : Using interface ppp0
03-17 15:41:22.639  3811  3811 I pppd    : Connect: ppp0 <-->
03-17 15:41:22.770  3811  3811 I pppd    : CHAP authentication succeeded
03-17 15:41:22.909  3811  3811 I pppd    : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065  3811  3811 I pppd    : local  IP address 172.16.36.113
03-17 15:41:23.065  3811  3811 I pppd    : remote IP address 172.16.36.1
03-17 15:41:23.065  3811  3811 I pppd    : primary   DNS address 8.8.8.8
03-17 15:41:23.065  3811  3811 I pppd    : secondary DNS address 91.239.100.100

Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927

Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed

Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.

Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581

This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9

The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf

This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa

bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.

Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.

Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

Allow run-as to transmit unix_stream_sockets from the shell user to
Android apps. This is needed for Android Studio's profiling tool to
allow communcation between apps and debugging tools which run as the
shell user.

Bug: 35672396
Test: Functionality was tested by shukang
Test: policy compiles.
Change-Id: I2cc2e4cd5b9071cbc7d6f6b5b0b71595fecb455e

This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.

Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.

Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.

P. S. This commit also removes
  allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.

Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
      lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
      and that the app can register to listen for updates for sensors
      and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668

Only audio HAL may access audio driver.
Only camera HAL may access camera driver.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3

Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df

Allows the following denials:
     avc: denied { use } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:r:tombstoned:s0 tclass=fd permissive=1
     avc: denied { append } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file permissive=1

Bug: http://b/36156624
Test: killall -ABRT media.codec
Test: killall -ABRT media.extractor
Change-Id: I3dde1879b44e3e63c747a3ff8dd4bf213cb8afb6

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 36074936
Test: check contents of 'adb shell dumpsys media.audio_flinger'
      on -userdebug builds

Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1

Let mediacodec and mediaextractor talk directly to tombstoned to
generate tombstones/ANR traces.

Bug: http://b/35858739
Test: debuggerd -b `pidof media.codec`
Change-Id: I091be946d58907c5aa7a2fe23995597638adc896

perf_event_max_sample_rate is needed to be read for native profiling,
otherwise CTS test can fail on devices with kernel >= 4.4. Before this CL,
the file is not readable from untrusted_app domain. This CL makes it readable
from both shell domain and untrusted_app domain.

Bug: http://b/35554543
Test: build and test on marlin.
Change-Id: Id118e06e3c800b70a749ab112e07a4ec24bb5975

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ed) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615

Bug: 35979722
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Test: no more avc errors on debugfs
Change-Id: I91d98428aaec915b3206535559a0c096e6de1603

We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.

This reverts commit 38d3eca0.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.

Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d

Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb

Fix restorecon failue on second call

Bug: 35803475
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Change-Id: Ia5496fcba031616297fa0a4c0f45e3ece0b4d662

Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75

Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.

Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f

The new wifi HAL manages the wlan driver and hence needs to be able to
load/unload the driver. The "wlan.driver.status" is used to indicate the
state of the driver to the rest of the system. There are .rc scripts for
example which wait for the state of this property.

Denials:
03-01 13:31:43.394   476   476 W android.hardwar: type=1400
audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0"
dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0
03-01 13:31:43.399   476   476 E libc    : Access denied finding
property "wlan.driver.status"

Bug: 35765841
Test: Denials no longer seen
Change-Id: I502494af7140864934038ef51cb0326ba3902c63