No relevant collected denials.

Test: device boots and no obvious problems.
Test: no collected denials.
Bug: 28760354
Change-Id: Idcf939b3cbdb1dec835d59150181047d062e6c48

Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630

Allowing storaged for reading from pseudo filesystems and debugfs.

Bug: 32221677

Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335

No denials collected.

Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec

No audits have been recorded for these rules. Remove them.

Originally added for backwards compatibility in
549ccf77 as part of the split
between cache_file and cache_recovery_file.

Bug: 25351711
Test: No audit records recorded
Change-Id: I5133028b5fcc99a731aabea90305171dee0edf47

Don't allow processes to list out the contents of the directory
/dev/__properties__. This is an implementation specific detail that
shouldn't be visible to processes.

Test: Device boots and no problems reading individual properties.
Test: ls -la /dev/__properties__ fails
Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3

This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from system_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96

This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from isolated_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3

This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from priv_app_current
      attribute (as expected) except for
      allow priv_app_current update_engine_current:binder transfer;
      which is caused by public update_engine.te rules and will go
      away once update_engine rules go private.
Bug: 31364497

Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391

This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from untrusted_domain_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92

Commit fee49159 introduced the net_radio_prop and system_radio_prop
properties, and added allow rules for backwards compatibility. In
addition, auditallow rules were added to see if the allow rules were
necessary.

The auditallow rules for radio net_radio_prop are triggering, so it's
clear these properties are being set by the radio process. Drop the
auditallow statement.

Test: policy compiles.
Change-Id: I7fa6df18ed4dd4cb8e0c9098373cc28134615330

/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.

Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:

1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive

While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.

Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49

Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>

Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.

Test: "setprop asdf asdf" from the unprivileged adb shell user
      generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1

We allow domains to manually transition to logpersist for userdebug
or eng debug logging permissions that would be counter to monitoring
limits on a released user build.

Test: compile
Bug: 30566487
Change-Id: I03a81c75cbd2b44617e4b27c4c083a26a0e0fa87

Bug: 31982882
Test: works with wip bullhead binderized dumpstate implementation
Change-Id: Iae964f49b3c2704688ded8e7366d89ace35a92aa

Adding sepoilcy for sensors.

Test: Sensors work.
Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255

6e4508e6 inadvertently removed access
to ro.serialno and ro.boot.serialno from ADB shell. This is needed for
CTS. This commit thus reinstates the access.

Test: adb shell getprop ro.serialno
Bug: 33700679
Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851

Adding sepolicty for contexthub service.

Test: GTS tests pass.
Change-Id: I2576b8028d12a31151d7b7869679b853eb16c75e

Test: make checkbuild, aosp_bullhead-userdebug boots.
Bug: 33192586

Change-Id: I386df8b6c04fb162f79a4409801ce3e882026ea8

This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472

Test: Verified that WIP telephony and BT SAP CLs work fine with this change
https://android-review.googlesource.com/#/q/topic:%22Basic+radio+service+and+client%22+(status:open+OR+status:merged)
https://android-review.googlesource.com/#/q/topic:%22SAP+HAL%22+(status:open+OR+status:merged)
Bug: 32020264
Change-Id: If15820d43e324d80e35808a292ee811f98d499cc

ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.

Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c

SELinux policy compiler complained about a quote inside the
recovery_only section of recovery.te. This section's contents are
inside quotes and thus can't contain quotes.

Test: mmm system/sepolicy produces no warnings
Bug: 33700679
Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8

Bug: 32123421
Test: full build/test of allocator hal using hidl_test
Change-Id: I253b4599b6fe6e7f4a2f5f55b34cdeed9e5d769b

This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7

Audio HAL server needs to set SCHED_FIFO scheduling policy
for its threads that communicate with FastMixer threads of
AudioFlinger that use the same scheduler.

Bug: 30222631
Change-Id: I405a69d097a6bfed455e3483365b27c4004e1063

mmi-based products insists on running persistent logcat directly.

Test: build
Bug: 30566487
Change-Id: I6397f5faedb2a4a5e2f4cfc5387977ae9c54b2d4

Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).

Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d

Generate a compile time error if someone unexpectedly tries to
transition into logpersist or logd domain.

Test: compile
Bug: 30566487
Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d

- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c

auditallow (added in commit 758e6b36)
has been in place for about 2 weeks now, and no hits. Remove
execute_no_trans.

The net effect of this change is that priv_apps won't be able to exec()
a file from their home directory, but dlopen() and friends will still
work.

Test: Compiles and boots successfully.
Test: No auditallow messages received via SELinux denial collection.
Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145

Bug: 31077138
Test: Device boots, coverage service works when tested manually.
Change-Id: Ia855cfefd5c25be5d1d8db48908c04b3616b5504

init switch from a setcon() based transition to an exec() based
transition in bug 19702273. Fixup stale comment.

Test: comment only change. Policy compiles.
Bug: 19702273
Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505

Bug: http://b/32905206



Test: Boot sailfish and no new selinux failures observed in logs

Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9
Signed-off-by: Sandeep Patil <sspatil@google.com>

avc: denied { getattr } for path="/data/dalvik-cache/arm64/system@framework@boot-core-libart.oat" dev="sda35" ino=1581062 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=lnk_file permissive=0

Test: builds, boots, quota stats match manual stats
Bug: 27948817
Change-Id: I65fb581a4732e03c46ac705f6693080c5f3be184

Bug: https://b/32733887



Change-Id: Ie22756509b53b6e78a95c5a7763b48773cd52fd7
Signed-off-by: Sandeep Patil <sspatil@google.com>

- Also allow dumpstate to talk to hal_dumpstate.

Bug: 31982882
Test: compiles
Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c

Test: Boot charge-only and android on sailfish

Bug: https://b/33672744



Change-Id: I6a25e90a716ec0ca46b5ba5edad860aa0eebafef
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 3b25e384)

Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd91)