Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368, and from untrusted_app in
cbf7ba18.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0

This allows system app, regular app as well as test app to access
ContextHubManager API. Additional "signature|privilige" permission
requirement (LOCATION_HARDWARE) still exist to prevent security
issues, misuse and abuse.

Change-Id: I47f3d243a3de7f1202c933fc715a935c43cf319b

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c

Bug: 28008032
Change-Id: I29e076ee9c62a0fb3b386f79509935a1961f95e1

(cherry picked from AOSP 163c8a006b87cae0217fd9dafdaec5271f1d795b)

Do not allow module loading except from the system, vendor,
and boot partitions.

Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1

(cherry picked from AOSP a16b0589)

Enforce restrictions on kernel module origin when kernel has commit:
61d612ea selinux: restrict kernel module loading

Bug: 27824855
Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b

Bug: 27176738
Change-Id: Ib52bb94973d20591dd440cea42aadfa53d476848

Bug: 27884853
Change-Id: I097306a324bdc25c5d22868f0342e175ce0dbb9a

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 28040634

Change-Id: I492c87e9f232c57f43abd09b7864b52847bc3555

We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs.  To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.

avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b

(cherry pick from commit 74541338)

Bug: 27965066
Change-Id: Ia0690c544876e209e4c080b0e959f763b731c48a

(cherry pick from commit 6937aa93)

Followup to 121f5bfd.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
Bug: 27965066

Bug: 26620936 and 27352427
Change-Id: I3d6d2e479d95133693790a97827e45e9dd30bc4a

Needed to support session reclaiming

bug: 27916039
Change-Id: I464e6db5b9bc4e83f85cb4623eeca340e1efd603

Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.

Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.

Addresses the following denial:

  avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
  ino=4026536593 scontext=u:r:bootanim:s0
  tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.

Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27925072
Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c

Bug: 27545805
Change-Id: I6281dd64c51f74b467deb7acd5cd4403696dcff2

Bug: 21266225
Change-Id: I649c2ae36340d1f2b3db478e90e125c473b47b6e

To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.

type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0

BUG=23093747

(cherry picked from commit 4d19f98c)

Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1

Similar to profman, dex2oat does more checks on profiles now.
It needs to be able to do stat to test for existance and non-emptiness.

03-28 10:41:06.667  8611  8611 W dex2oat : type=1400 audit(0.0:129):
avc: denied { getattr } for
path="/data/misc/profiles/ref/com.google.android.apps.magazines/primary.prof"
dev="dm-0" ino=636928 scontext=u:r:dex2oat:s0
tcontext=u:object_r:user_profile_data_file:s0 tclass=file permissive=0

Bug: 27860201
Change-Id: I3a7cb396596ae28a375ea98224ada29f093f475e

We do a bit more work checks in the runtime for the profiles and call
stat on the files to see if they exists and their are not empty.

SElinux error
[  297.842210] type=1400 audit(1459106986.097:7): avc: denied { getattr
} for pid=4504 comm="profman"
path="/data/misc/profiles/cur/0/com.google.android.youtube/primary.prof"
dev="dm-1" ino=636936 scontext=u:r:profman:s0
tcontext=u:object_r:user_profile_data_file:s0:c512,c768 tclass=file
permissive=0

Bug: 27860201
Change-Id: Ic97882e6057a4b5c3a16089b9b99b64bc1a3cd98

(cherry pick from commit 121f5bfd)

03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45

(cherry pick from commit 4bf9a47e)

Bug: 27176738
Change-Id: I70e4b7b54044dd541076eddd39a8e9f5d881badf

There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.

Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403

(cherry picked from commit f2d07904)

/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.

Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f