Confine all app domains, but make them permissive for now.

As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.

Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

media_app.te

@@ -3,10 +3,27 @@
 ###
 
 type media_app, domain;
+permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-unconfined_domain(media_app)
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file r_file_perms;
+allow media_app download_file:dir rw_dir_perms;
+allow media_app download_file:file create_file_perms;
+# Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
+allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;

nfc.te

@@ -1,4 +1,14 @@
 # nfc subsystem
 type nfc, domain;
+permissive nfc;
 app_domain(nfc)
-unconfined_domain(nfc)
+
+# NFC device access.
+allow nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+allow nfc sysfs_nfc_power_writable:file rw_file_perms;
+allow nfc sysfs:file write;

platform_app.te

@@ -3,10 +3,39 @@
 ###
 
 type platform_app, domain;
+permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
+# Write to /cache.
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+# Read from /data/local.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+# Access download files.
+allow platform_app download_file:file rw_file_perms;
+# Allow BackupManagerService to backup all app domains
+allow platform_app appdomain:fifo_file write;
+
+#
+# Rules for all platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;

radio.te

@@ -1,7 +1,24 @@
 # phone subsystem
 type radio, domain;
+permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
 
-unconfined_domain(radio)
+# Talks to init via the property socket.
+unix_socket_connect(radio, property, init)
+
+# Talks to rild via the rild socket.
+unix_socket_connect(radio, rild, rild)
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;

release_app.te

@@ -3,10 +3,14 @@
 ###
 
 type release_app, domain;
+permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
-unconfined_domain(release_app)
+
+# Write to /cache.
+allow release_app cache_file:dir rw_dir_perms;
+allow release_app cache_file:file create_file_perms;

shared_app.te

@@ -3,10 +3,12 @@
 ###
 
 type shared_app, domain;
+permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
+# ASEC
+r_dir_file(shared_app, asec_apk_file)

system_app.te

@@ -4,5 +4,32 @@
 # server.
 #
 type system_app, domain;
+permissive system_app;
 app_domain(system_app)
-unconfined_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir r_dir_perms;
+
+# Allow settings app to read from asec
+allow system_app asec_apk_file:dir search;
+allow system_app asec_apk_file:file r_file_perms;