Bug: 112940221
Test: AHardwareBufferTest
Change-Id: I1fd065844e03c7e079dc40b7f7dbb8968f1b00bc

There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.

Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.

Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.

This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.

Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0

Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76

This reverts commit b3624743.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots

Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4

When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3

Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0

This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.

Bug: 117990869

Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09

Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5

1b1d133b added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

Commit 619c1ef2 ("tun_device: enforce
ioctl restrictions") completely removed the ability of untrusted apps to
issue ioctl calls to tun_device. It turns out that this was too
aggressive. Wireshark apparently uses the TUNGETIFF ioctl.

Fixes the following denial:

audit(0.0:384744): avc: denied { ioctl } for comm=4173796E635461736B202332 path="/dev/tun" dev="tmpfs" ino=19560 ioctlcmd=54d2 scontext=u:r:untrusted_app:s0:c51,c257,c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=1 app=com.wireguard.android

Test: policy compiles.
Change-Id: I71bb494036ea692781c00af37580748ab39d1332

Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.

Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5

This reverts commit 15d1a12f.

Bug: 118737210
Bug: 112357170
Test: boot marlin
Change-Id: Idcfab04b48f843eead4efa9f58a1337c6685c6ca

Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45

This reverts commit 0dd738d8.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b

untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0

BUG: 117424656
BUG: 111185513
Test: run vts -m VtsHalPowerStatsV1_0Target

Change-Id: Icb0790219df4189c0dabbe41221e69e56d000755

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25e.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a

This reverts commit 9899568f.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0

Bug: 111098596
Test: atrace/systrace
Change-Id: I06ca76750d640c98849c475c8a237d62c8e582b9

Access is deprecated for apps with targetSdkVersion=26+.

Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1

DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e

Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d)

As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6

Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e

This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861
(cherry picked from commit c6afcb7f)

This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861

Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.

Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).

Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.

Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803

init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5

(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be28894)

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9)

Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
(cherry picked from commit 886aa54b)

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73