am f5f899c3: Merge from upstream sepolicy

* commit 'f5f899c3c0f684ffba6950b343e652abd78d0fd9':
  Rework the radio vs rild property split. Only label properties with the ril. prefix with rild_prop. Allow rild and system (and radio) to set radio_prop. Only rild can set rild_prop presently.
  Allow apps to write to anr_data_file for /data/anr/traces.txt.
  Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
  Allow adbd to access the qemu device and label /dev/eac correctly.
  Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton.
  Rewrite MLS constraints to only constrain open for app_data_file, not read/write.
  Introduce a separate wallpaper_file type for the wallpaper file.
  Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.
  Allow the shell to create files on the sdcard.
  Drop redundant rules.
  Policy changes to support running the latest CTS.
  Limit per-device policy files to a well-defined sepolicy prefix.
  Add support for per-device .te and .fc files.

Android.mk

@@ -11,6 +11,12 @@ POLICYVERS := 24
 MLS_SENS=1
 MLS_CATS=1024
 
+LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/
+
+LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS)))
+LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS)))
+
 ##################################
 include $(CLEAR_VARS)
 
@@ -25,7 +31,7 @@ include $(BUILD_SYSTEM)/base_rules.mk
 sepolicy_policy.conf := $(intermediates)/policy.conf
 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts))
+$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users ocontexts))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
 
@@ -38,13 +44,18 @@ sepolicy_policy.conf :=
 include $(CLEAR_VARS)
 
 LOCAL_MODULE := file_contexts
-LOCAL_SRC_FILES := $(LOCAL_MODULE)
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
-include $(BUILD_PREBUILT)
+include $(BUILD_SYSTEM)/base_rules.mk
 
+file_contexts := $(intermediates)/file_contexts
+$(file_contexts): $(LOCAL_PATH)/file_contexts $(LOCAL_POLICY_FC)
+	@mkdir -p $(dir $@)
+	$(hide) cat $^ > $@
+
+file_contexts :=
 ##################################
 include $(CLEAR_VARS)
 
@@ -56,6 +67,22 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_PREBUILT)
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+property_contexts := $(intermediates)/property_contexts
+$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
+	@mkdir -p $(dir $@)
+	$(hide) cat $^ > $@
+
+property_contexts :=
 ##################################
 
 endif #ifeq ($(HAVE_SELINUX),true)

access_vectors

@@ -880,3 +880,8 @@ class zygote
 	specifyinvokewith
 	specifyseinfo
 }
+
+class property_service
+{
+	set
+}

adbd.te

@@ -2,6 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type adbd, domain, mlstrustedsubject;
 allow adbd adb_device:chr_file rw_file_perms;
+allow adbd qemu_device:chr_file rw_file_perms;
 allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
 allow adbd rootfs:file entrypoint;
 allow adbd init:process sigchld;
@@ -23,9 +24,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
-# Read properties.
+# Run sh in its own domain.
-allow adbd kernel:fd use;
+domain_auto_trans(adbd, shell_exec, shell)
-allow adbd tmpfs:file read;
+# Do not sanitize the environment of the shell.
+allow adbd shell:process noatsecure;
 
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?

app.te

@@ -28,11 +28,7 @@ allow trusted_app shell_data_file:lnk_file read;
 allow trusted_app sdcard:dir create_dir_perms;
 allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
+allow trusted_app apk_tmp_file:file rw_file_perms;
-allow trusted_app apk_data_file:file write;
-# Perform binder IPC to any app domain.
-binder_call(trusted_app, appdomain)
-binder_transfer(trusted_app, appdomain)
 
 #
 # An example of a specific domain for a specific app
@@ -100,11 +96,18 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { read write };
+
+# Write to /data/anr/traces.txt.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
 binder_transfer(appdomain, binderservicedomain)
-# Perform binder IPC to apps in the trusted_app domain.
+# Perform binder IPC to other apps.
-binder_call(appdomain, trusted_app)
+binder_call(appdomain, appdomain)
-binder_transfer(appdomain, trusted_app)
+binder_transfer(appdomain, appdomain)

attributes

@@ -33,6 +33,9 @@ attribute netif_type;
 # All types used for network ports.
 attribute port_type;
 
+# All types used for property service
+attribute property_type;
+
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;

debuggerd.te

@@ -12,3 +12,4 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
+allow debuggerd log_device:chr_file r_file_perms;

domain.te

@@ -3,6 +3,10 @@
 # Allow reaping by init.
 allow domain init:process sigchld;
 
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file read;
+
 # binder adjusts the nice value during IPC.
 allow domain self:capability sys_nice;
 
@@ -29,7 +33,7 @@ allow domain debuggerd:unix_stream_socket connectto;
 
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
 
 # Device accesses.
 allow domain device:dir search;

drmserver.te

@@ -8,3 +8,9 @@ typeattribute drmserver mlstrustedsubject;
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+allow drmserver sdcard:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;

file.te

@@ -8,6 +8,7 @@ type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type;
 type tmpfs, fs_type;
@@ -22,12 +23,15 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type;
+type anr_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/tombstones - core dumps
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
@@ -49,6 +53,8 @@ type app_data_file, file_type, data_file_type;
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type;
 
 # Socket types
 type bluetooth_socket, file_type;

file_contexts

@@ -23,6 +23,7 @@
 /dev/console		u:object_r:console_device:s0
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
+/dev/eac		u:object_r:audio_device:s0
 /dev/full		u:object_r:full_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
@@ -101,10 +102,12 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
@@ -116,6 +119,8 @@
 /data/misc/wifi(/.*)?		u:object_r:wifi_data_file:s0
 # App sandboxes
 /data/data/.*		u:object_r:app_data_file:s0
+# Wallpaper file.
+/data/data/com.android.settings/files/wallpaper	u:object_r:wallpaper_file:s0
 #############################
 # efs files
 #
@@ -128,3 +133,4 @@
 # sysfs files
 #
 /sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
+/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0

installd.te

@@ -12,6 +12,7 @@ allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:file { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;

mls

@@ -60,21 +60,37 @@ mlsconstrain unix_stream_socket { connectto }
 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
 
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
 # Read operations: Subject must dominate object unless the subject
 # or the object is trusted.
 mlsconstrain dir { read getattr search }
-	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
-	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Write operations: Subject must be dominated by the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the

nfc.te

@@ -8,3 +8,5 @@ allow nfc nfc_device:chr_file rw_file_perms;
 # Data file accesses.
 allow nfc nfc_data_file:dir create_dir_perms;
 allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+allow nfc sysfs_nfc_power_writable:file rw_file_perms;

property.te

@@ -0,0 +1,9 @@
+type default_prop, property_type;
+type shell_prop, property_type;
+type radio_prop, property_type;
+type system_prop, property_type;
+type vold_prop, property_type;
+type rild_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_rildaemon_prop, property_type;

property_contexts

@@ -0,0 +1,47 @@
+##########################
+# property service keys
+#
+#
+net.rmnet0              u:object_r:radio_prop:s0
+net.gprs                u:object_r:radio_prop:s0
+net.ppp                 u:object_r:radio_prop:s0
+net.qmi                 u:object_r:radio_prop:s0
+net.lte                 u:object_r:radio_prop:s0
+net.cdma                u:object_r:radio_prop:s0
+gsm.                    u:object_r:radio_prop:s0
+persist.radio           u:object_r:radio_prop:s0
+net.dns                 u:object_r:radio_prop:s0
+sys.usb.config          u:object_r:radio_prop:s0
+
+ril.                    u:object_r:rild_prop:s0
+
+net.                    u:object_r:system_prop:s0
+dev.                    u:object_r:system_prop:s0
+runtime.                u:object_r:system_prop:s0
+hw.                     u:object_r:system_prop:s0
+sys.                    u:object_r:system_prop:s0
+service.                u:object_r:system_prop:s0
+wlan.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:system_prop:s0
+
+debug.                  u:object_r:shell_prop:s0
+log.                    u:object_r:shell_prop:s0
+service.adb.root        u:object_r:shell_prop:s0
+service.adb.tcp.port    u:object_r:shell_prop:s0
+
+persist.sys.            u:object_r:system_prop:s0
+persist.service.        u:object_r:system_prop:s0
+persist.security.       u:object_r:system_prop:s0
+selinux.                u:object_r:system_prop:s0
+
+# default property context
+*                       u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold.                   u:object_r:vold_prop:s0
+crypto.                 u:object_r:vold_prop:s0
+
+# ctl properties
+ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
+ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
+ctl.                    u:object_r:ctl_default_prop:s0

radio.te

@@ -15,3 +15,9 @@ allow radio radio_data_file:dir create_dir_perms;
 allow radio radio_data_file:notdevfile_class_set create_file_perms;
 
 allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;

rild.te

@@ -4,6 +4,7 @@ type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
 net_domain(rild)
+allow rild self:netlink_route_socket setopt;
 allow rild kernel:system module_request;
 unix_socket_connect(rild, property, init)
 unix_socket_connect(rild, qemud, qemud)
@@ -19,3 +20,7 @@ allow rild shell_exec:file rx_file_perms;
 dontaudit rild self:capability sys_admin;
 # XXX Label sysfs files with a specific type?
 allow rild sysfs:file rw_file_perms;
+
+# property service
+allow rild rild_prop:property_service set;
+allow rild radio_prop:property_service set;

security_classes

@@ -134,4 +134,7 @@ class db_language		# userspace
 class binder
 class zygote
 
+# Property service
+class property_service          # userspace
+
 # FLASK

shell.te

@@ -1,6 +1,5 @@
 type shell, domain;
 type shell_exec, file_type;
-domain_auto_trans(adbd, shell_exec, shell)
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
@@ -13,9 +12,9 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
-# Read properties.
+# Access sdcard.
-allow shell kernel:fd use;
+allow shell sdcard:dir rw_dir_perms;
-allow shell tmpfs:file read;
+allow shell sdcard:file create_file_perms;
 
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;
@@ -32,3 +31,12 @@ allow shell log_device:chr_file r_file_perms;
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# Property Service
+allow shell shell_prop:property_service set;
+
+# setprop toolbox command
+allow shell property_socket:sock_file write;
+
+# ctl interface
+allow shell ctl_dumpstate_prop:property_service set;

surfaceflinger.te

@@ -22,3 +22,6 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# ctl interface
+allow surfaceflinger ctl_default_prop:property_service set;

system.te

@@ -15,6 +15,9 @@ binder_transfer(system_app, appdomain)
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
 
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
@@ -110,6 +113,7 @@ selinux_check_access(system)
 
 # XXX Label sysfs files with a specific type?
 allow system sysfs:file rw_file_perms;
+allow system sysfs_nfc_power_writable:file rw_file_perms;
 
 # Access devices.
 allow system device:dir r_dir_perms;
@@ -130,6 +134,25 @@ allow system qemu_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system system_data_file:file relabelfrom;
+allow system wallpaper_file:file relabelto;
+allow system wallpaper_file:file r_file_perms;
+
+# Property Service write
+allow system system_prop:property_service set;
+allow system radio_prop:property_service set;
+
+# ctl interface
+allow system ctl_default_prop:property_service set;
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;
@@ -141,7 +164,7 @@ allow system cache_file:file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system system_file:file x_file_perms;
 
-# Silently deny any /proc accesses that are not allowed.
+# Allow reading of /proc/pid data for other domains.
-# This suppresses noise from walking the process list.
+# XXX dontaudit candidate
-dontaudit system domain:dir r_dir_perms;
+allow system domain:dir r_dir_perms;
-dontaudit system domain:file r_file_perms;
+allow system domain:file r_file_perms;

te_macros

@@ -97,9 +97,6 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
-# Read properties.
-allow $1 kernel:fd use;
-allow $1 tmpfs:file read;
 ')
 
 #####################################

ueventd.te

@@ -16,6 +16,3 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
-# Read properties.
-allow ueventd kernel:fd use;
-allow ueventd tmpfs:file read;

unconfined.te

@@ -21,3 +21,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain property_type:property_service set;

vold.te

@@ -54,3 +54,6 @@ allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
 allow vold system_data_file:dir { write create add_name mounton };
+
+# Property Service
+allow vold vold_prop:property_service set;