Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2

Because bootanimation uses the graphics mapper
HIDL service (which is always passthrough), it makes
a call to hwservicemanager to let it know it has
obtained a reference to it.

Bug: 35207188
Test: no more denials from bootanim
Change-Id: I99ea57a0d7777cb84eeaca26426ea38bf72ee933

Allow SurfaceFlinger to call into IComposer, and vice versa for
IComposerCallback.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

binder_call(..., surfaceflinger) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1

allow ... gpu_device:chr_file rw_file_perms for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... graphics_device ... for
avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

allow bootanim ...:fd use for
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

Bug: 32021609
Test: make bootimage
Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588

Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Allow bootanim process to access audioserver service.

Bug: 31651778
Change-Id: I5bec8812877792b1df3b37dddc5ccea3b243f5c4

(cherry picked from commit ad5b4be3)

Required for using native audio in BootAnimation

Bug: 29055299
Change-Id: Ie75d35219be95a8dc697cc3c0384a4de90ea3478

Required for using native audio in BootAnimation

Bug: 29055299
Change-Id: Ie75d35219be95a8dc697cc3c0384a4de90ea3478

Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.

Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.

Addresses the following denial:

  avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
  ino=4026536593 scontext=u:r:bootanim:s0
  tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.

Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53

Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d2245 restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.

As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a

Bug: 17674304

Change-Id: Ide32833809bca8d3ed8ddc898748e25d7a692319

Added read permissions for bootanimation

Bug: 16635599
Change-Id: Ib5d0ba5a6d1144ff831f4f0eda092879f853c376

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15

Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964

Address denials in devices that use /oem

Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403

Change-Id: I9d87c35cc8d4ffffab4f7c28f3d3d43f85b10123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Leave the domain permissive initially until it gets more testing.

Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>