allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access

- allow all apps to connect to the keystore over unix socket
- dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files
- mtp connects to dnsproxyd when a pptp vpn connection is established
- allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device
- WifiWatchDog uses packet_socket when wifi comes up
- apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction
- for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject

Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949
Signed-off-by: Joshua Brindle <jbrindle@tresys.com>

app.te

@@ -24,8 +24,7 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
-# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow platform_app qtaguid_proc:file { open };
+# Read /dev/xt_qtaguid
 allow platform_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the media key.
@@ -41,8 +40,7 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow media_app qtaguid_proc:file rw_file_perms;
+# Read /dev/xt_qtaguid
 allow media_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the shared key.
@@ -66,9 +64,13 @@ net_domain(release_app)
 bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
+# Read /dev/xt_qtaguid
+allow release_app qtaguid_device:chr_file r_file_perms;
 
 # Services with isolatedProcess=true in their manifest.
-type isolated_app, domain;
+# In order for isolated_apps to interact with apps that have levelFromUid=true
+# set it must be an mlstrustedsubject.
+type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)
 
 #
@@ -128,6 +130,7 @@ allow untrusted_app sdcard:file create_file_perms;
 bool app_ndk false;
 if (app_ndk or android_cts) {
 allow untrusted_app system_data_file:file { execute open };
+allow isolated_app system_data_file:file { open execute };
 }
 # Read Logs
 bool app_read_logs false;
@@ -139,6 +142,9 @@ allow untrusted_app log_device:chr_file read;
 # Rules for all app domains.
 #
 
+# Allow apps to connect to the keystore
+unix_socket_connect(appdomain, keystore, keystore)
+
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
@@ -173,7 +179,7 @@ allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file write;
+allow appdomain qtaguid_proc:file rw_file_perms;
 
 # Use the Binder.
 binder_use(appdomain)
@@ -183,3 +189,13 @@ binder_transfer(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
 binder_transfer(appdomain, appdomain)
+
+# Appdomain interaction with isolated apps
+r_dir_file(appdomain, isolated_app)
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain isolated_app:unix_stream_socket { read write };
+allow isolated_app appdomain:unix_stream_socket { read write };

dhcp.te

@@ -11,6 +11,7 @@ allow dhcp self:packet_socket { create setopt bind write read };
 allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
 allow dhcp self:udp_socket { create ioctl };
 allow dhcp shell_exec:file { read open execute };
+allow dhcp system_file:file execute_no_trans;
 allow dhcp proc:file write;
 allow dhcp property_socket:sock_file write ;
 allow dhcp system_prop:property_service set ;
@@ -19,4 +20,5 @@ allow dhcp dhcp_system_file:dir r_dir_perms;
 unix_socket_connect(dhcp, property, init)
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-allow dhcp dhcp_data_file:dir { write add_name search };
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;

mtp.te

@@ -3,6 +3,7 @@ type mtp, domain;
 type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
+net_domain(mtp)
 
 # pptp policy
 allow mtp self:tcp_socket { create setopt connect write read };
@@ -11,3 +12,4 @@ allow mtp self:rawip_socket create;
 allow mtp self:capability net_raw;
 allow mtp ppp:process signal;
 allow mtp port:tcp_socket name_connect;
+allow mtp vpn_data_file:dir search;

seapp_contexts

@@ -41,4 +41,4 @@ user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file
 user=_app seinfo=release domain=release_app type=platform_app_data_file
 user=_app seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
-user=_isolated domain=isolated_app levelFromUid=true
+user=_isolated domain=isolated_app

system.te

@@ -89,10 +89,13 @@ allow system mediaserver:process setsched;
 allow system appdomain:dir r_dir_perms;
 allow system appdomain:{ file lnk_file } rw_file_perms;
 
-# Write to /proc/net/xt_qtaguid/ctrl.
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
 allow system qtaguid_proc:file rw_file_perms;
 allow system qtaguid_device:chr_file rw_file_perms;
 
+# WifiWatchdog uses a packet_socket
+allow system self:packet_socket *;
+
 # Notify init of death.
 allow system init:process sigchld;