Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2

This reverts commit 9899568f.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

Test: policy compiles
Change-Id: I855ce7c706ebf11de8376b9f97b706d97419db4b

Test: policy compiles.
Change-Id: Icda25a34ce61c28fa2399a1f1f44c9ef7ba44745

Sort file by ioctl name. This will make it hopefully easier to find
entries.

Alternatives considered: sorting file by ioctl value. This has the
advantage that it's easier to map an SELinux ioctlcmd= avc message into
a variable name, but would otherwise make this file harder to read.

Test: policy compiles.
Change-Id: I09b1dd4c055446f73185b90c4de5f3cdd98eb4b7

1. "Add sepolicy labeling of wifi.concurrent.interface" in property_contexts.
wlan1 interface is added first in Pie OS. And wlan1 interface has getIfaceName
by property_get in wifi_chip.cpp.
(/hardware/interface/wifi/1.2/default/wifi_chip.cpp)
But, there is no sepolicy about this interface. wlan0 and p2p0 is definitely specified.
So, if we try to use wlan1, native sepolicy violation occurs.
This is why this labeling is necessary.

2. wlan1: Property labeling same with wlan0 or p2p0.
wifi.interface u:object_r:exported_default_prop:s0 exact string

Test: Basic Sanity - Verified tethering by using wlan1
Bug: 117302656

Change-Id: I24194bca7176e1927164228e6571870531a9bc56
Signed-off-by: Jinhee Jo <jinhee0207.jo@lge.com>

This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f

We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.

Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc

Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143

A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=.  The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.

Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95

Addresses this denial:
avc: denied { read } for comm="rild" name="u:object_r:system_prop:s0"
dev="tmpfs" ino=15811 scontext=u:r:rild:s0 tcontext=u:object_r:system_prop:s0
tclass=file permissive=0

Fixes: 77960261
Test: m selinux_policy
Change-Id: I341675a4cfc0acbb7ea98e2ed4bdb7f69afe09f7

This property is GMS-specific. It should be set from either /system or /product.
After this change ro.com.google.clientidbase will have default_prop type and
will only be settable from an .rc file.

This property now must be set from system or product images. In case of a
system-only OTA, the old vendor.img might attempt set this property. This will
trigger a denial which is innocuous since the new system.img will correctly set
the property.

Bug: 117348096
Test: walleye can still set ro.com.google.clientidbase
Change-Id: Id0873baecacb4168415b1598c35af1ecbb411e17

This fixes a build breakage.

Test: Build policy.
Change-Id: Id5209a2bd6446ac6dd744b7426f540bc1a8641ed

Bug: 111215474
Test: boots
Change-Id: Ib8cabeb64a8b4ec9f592d870bd0af611a2720cc7

apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97

Allows checkpoint commands to check A/B update status

Test: vdc checkpoint startCheckpoint -1
Bug: 111020314
Change-Id: I086db548d55176bf88211001c7c1eecb8c50689e

Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0

Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)

Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c

In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2

Bug: 116783882
Bug: 111098596
Test: turn on/off system_tracing
Change-Id: I089851924bdb1a5cd71598a7014d17fedc87625a

Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0

and (un)map on dev mapper.

Test: resize partitions during OTA
Bug: 110717529

Change-Id: Ia0b66a188232795cf7c649b48af985a583f3471d

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879

system/sepolicy/public/attributes defines exec_type as:

  # All types used for domain entry points.
  attribute exec_type;

The linker is not a standalone executable, but rather, used by other
executables to resolve shared libraries. It isn't, and must never be, an
allowed entrypoint for a domain.

Remove the exec_type attribute from system_linker_exec.

Test: Device compiles and boots, no obvious problems running the system.
Change-Id: I8f2f608bc1a642193524396f46b22933faac5468

Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3

Assert that only apps and installd may open private app files.

Remove "open" permission for mediaserver/vold and remove their
neverallow exemption.

Test: verify no related audit messages in the logs.
Test: build
Fixes: 80300620
Fixes: 80418809
Bug: 80190017
Change-Id: If0c1862a273af1fedd8898f334c9b0aa6b9be728

Bug: 111461540
Bug: 112570477

Test: builds
Change-Id: Icc68720ebe931c2d917703b2d34aa0f4eec3f549
Merged-In: Icc68720ebe931c2d917703b2d34aa0f4eec3f549

Bug: 115741899
Test: m selinux_policy
Change-Id: I5d80a1d9bd5500a82ebf282fb02f0db3a0b0a4c1

...to reflect that the HAL operates on storage devices,
not filesystem.

Bug: 111655771
Test: compiles
Change-Id: Ibb0572cb1878359e5944aa6711331f0c7993ba6e
Merged-In: Ibb0572cb1878359e5944aa6711331f0c7993ba6e

This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4

kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f

Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e

Recovery-persist now parses the file /cache/recovery/last_install; and
unlinks it after reporting metrics. Sets up the permission accordingly;
also grants access to /cache if it's a symlink (useful for a/b devices.)

Denials:
recovery-persis: type=1400 audit(0.0:7): avc: denied { write } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:7): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { search } for name="recovery"
dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0
recovery-persis: type=1400 audit(0.0:8): avc: denied { read } for name="cache"
dev="dm-0" ino=2991 scontext=u:r:recovery_persist:s0
tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0

Bug: 114278989
Test: checks the metrics report on devices with /cache
Change-Id: Iacb5606710e26922a9fbb2d2abacf8333d6df084

Currently, crash_dump has the following line:

  read_logd(crash_dump)

which is a macro defined as:

  #####################################
  # read_logd(domain)
  # Ability to run logcat and read from android
  # log daemon via sockets
  define(`read_logd', `
  allow $1 logcat_exec:file rx_file_perms;
  unix_socket_connect($1, logdr, logd)
  ')

which grants both the ability to talk directly to a logd socket, as well
as the ability to execute the /system/bin/logcat command line tool.

This is unneeded (and problematic) for crash_dump. Crash_dump uses
standard, vndk approved libraries to talk directly to logd. It never
exec()s the (non-vndk approved) logcat command.

As crash_dump is a vndk approved component and executed by vendor code,
allowing this transitively makes /system/bin/logcat a vndk component
too, which we want to avoid.

Instead of using the read_logd() macro, just directly add the
unix_socket_connect() call. This allows talking directly to logd, but
blocks the use of the (unneeded) /system/bin/logcat executable.

Test: crasher binary still works when executed from adb shell
Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345

Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa

Test: manual test

BUG: b/112432890
Change-Id: If703cd25a2c0864ffd49bfdc83821fae291974b5

Test: comments only. Policy compiles.
Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c