* commit '8bd13687':
  neverallow su_exec:file execute

Executing /system/xbin/su is only supported on userdebug builds
for a limited number of domains. On user builds, it should never
occur.

Add a compile time assertion (neverallow rule) that this is
always true.

Bug: 19647373
Change-Id: I231a438948ea2d47c1951207e117e0fb2728c532

* commit '6ece49c3':
  Revert "allow system_server to set kernel scheduling priority"

Assigning mlstrustedsubject to untrusted_app would undermine
the per-user isolation model being enforced via levelFrom=user
in seapp_contexts and the mls constraints.  There is no direct
way to specify a neverallow on attribute assignment, but this
makes use of a particular property of the fork permission to
prevent ever adding mlstrustedsubject to untrusted_app.

A similar restriction for app_data_file and mlstrustedobject
is also important for the same reason, but cannot be expressed
as a neverallow.

Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'eaece936':
  neverallow untrusted_app as a mlstrustedsubject.

* commit 'b8caf7fd':
  Move allow rules before neverallow rules.

Add an attribute command to sepolicy-analyze for displaying the list
of types associated with an attribute in a policy.  This is for use
by CTS to check what domains and types are associated with certain
attributes such as mlstrustedsubject and mlstrustedobject.

Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '0233cd80':
  sepolicy-analyze:  Add attribute command.

Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'c9361731':
  Fix rules for general_property_contexts.

Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '2e0cd5ad':
  Generate general versions of the other contexts files for tests.

* commit '37712877':
  Generate a general_seapp_contexts file for tests.

Periodically, SELinux denials of the form:

  type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

are being generated. These denials come from system_server and other
processes. There's no reason why system_server should be calling
sched_setscheduler() on a kernel thread.

Current belief is that these SELinux denials are a bug in the kernel,
and are being inappropriately triggered.

Revert 2d1650f4. The original reason
for accepting this change was to see if it would fix bug 18085992.
Unfortunately, even after the commit, the bug was still present.
The change had no impact on the bug.

Don't inappropriately grant system_server the ability to minipulate
the scheduling priority of kernel threads.

This reverts commit 2d1650f4.

Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8

Generate a general_seapp_contexts file with only the
device-independent entries, similar to general_sepolicy.conf.
This is for use by CTS tests to compare with the prefix of
device seapp_contexts.

Change-Id: If8d1456afff5347adff7157411c6a160484e0b39
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '7d090fbd':
  sepolicy-analyze:  Change booleans command to be more test-friendly.

Instead of displaying the boolean count, display a list of booleans
defined in the policy, if any.  This makes sepolicy-analyze booleans
consistent with sepolicy-analyze permissive and allows automated tests
to simply check whether there was any output at all.

Change-Id: I221b60d94e6e7f6d80399bf0833887af3747fe83
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '61d665af':
  logd: allow access to system files

- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'

Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54

* commit '5434a8a9':
  system_server: neverallow blk_file read/write

* commit 'fbaf72ed':
  sepolicy-analyze:  Implement booleans test.

Implement the booleans test in sepolicy-analyze so
that we can move the no-booleans check from the
SELinuxTest to the SELinuxHostTest along with the
other policy checks.

Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c

* commit 'c01f7fd1':
  system_server: remove appdomain:file write

system_server no longer writes to /proc/pid/oom_adj_score. This is
handled exclusively by lmkd now.

See the following commits:

Kernel 3.18:
* https://android-review.googlesource.com/139083
* https://android-review.googlesource.com/139082

Kernel 3.14:
* https://android-review.googlesource.com/139081
* https://android-review.googlesource.com/139080

Kernel 3.10:
* https://android-review.googlesource.com/139071
* https://android-review.googlesource.com/139671

Kernel 3.4:
* https://android-review.googlesource.com/139061
* https://android-review.googlesource.com/139060

Bug: 19636629
Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9

* commit '6843a793':
  Only allow system_server to send commands to zygote.

* commit '8f81dcad':
  Only allow system_server to send commands to zygote.

Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f

* commit 'b41eb698':
  system_server: allow handling app generated unix_stream_sockets

* commit '0560e75e':
  system_server: allow handling app generated unix_stream_sockets

Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.

Addresses the following denial:

  type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0

Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39

* commit '7afcaafc':
  installd: drop noatsecure for dex2oat

* commit '4eb2bc7e':
  Record observed bluetooth service access.

* commit 'a9f288b8':
  allow untrusted_app read /data/anr/traces.txt

* commit '0d0d5aa9':
  installd: drop noatsecure for dex2oat