sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe

Change-Id: Ia279dfd11cc093e066bff66d7397dfe9e906aba8

avc: denied { read } for name="primary" dev="tmpfs" ino=3134 scontext=u:r:shell:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file

Change-Id: Id0ed2297a89054199fc73f27b18f717ae19c6778

Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it
from appdomain.

Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

dumpsys from shell results in many denials:
11-08 02:52:13.087   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.089   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.093   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.103   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.104   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.118   171   171 E SELinux : avc:  denied  { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
11-08 02:52:13.130   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.379   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.388   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.574   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.576   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 18799966
Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc

Grant shell read access to /proc taken away by
commit: 0d3f7ddc

Addresses the following denials encountered when running ps or top.

Bug: 18799966
Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.

Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f

Addresses the following denials:
avc:  denied  { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc:  denied  { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4

Shell domain needs to be able to access system_server_services, e.g.
when running the pm command. Addresses the following denials:

10-07 00:59:26.901   178   178 E SELinux : avc:  denied  { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
10-07 00:59:26.903   178   178 E SELinux : avc:  denied  { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73

Bug: 18485243

(cherry picked from commit fc6214bf)

Change-Id: I1b9e2705383bd0a3bae75b35906110e490f8785d

Bug: 18485243
Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e

As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir

Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh.  So they originally
shared a common set of rules.  Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc.  Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc).  The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command.  And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.

Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te.  init_shell was an unconfined_domain(),
so it loses nothing from this change.  Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.

Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720

(cherry picked from commit 4fd4a205)

Change-Id: Ide6f62183a1c6e2af4cbe84bb0ebb928cd8e63b7

The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720
Change-Id: I767102a7182895112838559b0ade1cd7c14459ab

Bug: 13464830

Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d

init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Id1eb5f7524181aaa17d0ce26219167a5b05cfd4f

Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0

ping in Android no longer requires any additional privileges beyond
the caller.  Drop the ping domain and executable file type entirely.

Also add net_domain() to shell domain so that it can create and
use network sockets.

Change-Id: If51734abe572aecf8f510f1a55782159222e5a67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

"init_shell" is used for shell processes spawned by init.

Change-Id: I9e35d485bac91f3d0e4f3704acdbb9af7d617173

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This reverts commit ba84bf1d

Hidden dependency resolved.

Change-Id: I9f0844f643abfda8405db2c722a36c847882c392

This reverts commit 8a814a76

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad

Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

In normal, user builds, shell doesn't have the required
DAC permissions to acess the kernel log.

Change-Id: I001e6d65f508e07671bdb71ca2c0e1d53bc5b970

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a