am: 64c8aa96

Change-Id: I1260e60f2ef4db50573e515ba95c332512c8ae62

am: 6429e000

Change-Id: I14d24ef85a8409adaffe4073e3697d21a2c2f05f

am: fde87a96

Change-Id: Id1e696f18bd1091f4103c02b49e3fa2dd6fa8e1b

am: 484a277c

Change-Id: Iaa779c0d07bc503e27d0d9b65816347e819daa8a

am: 2261cab6

Change-Id: Id44a7c591e8d7640c89e74cb9e88ce7849439c29

am: 1871fc0a

Change-Id: I2d474b6d04d0fa2af7ad35d7af068e38477609ee

Currently update_verifier only verifies the blocks when dm-verity is in
'enforcing' mode; and dm-verity will reboot the device upon detection of
errors. However, sometimes the verity mode is not guaranteed to be
correct. When mode is 'eio' for example, dm-verity will not trigger
a reboot but rather fail the read. So update_verifier need to take the
responsibility to reboot the device. Otherwise the device will continue
to boot without setting the flag "isSlotMarkedSuccessful".

Denial message:
update_verifier: type=1400 audit(0.0:18): avc: denied { write } for
name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Bug: 36260064
Test: powerctl property sets successfully
Change-Id: I7431f87e2d61be1425397732aebb369d4ad4c26c

am: fbccda34

Change-Id: I1dd3889756bcc6324f80d20aeecba95587e68f20

Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6

am: 29f273ce

Change-Id: I0dc5693bddd9574eb36ee4a711652b4130afdd8e

am: c3a9e7df

Change-Id: Ifcb4f63b7111252ee3a0deb58e6471b06df58587

am: bab5872c

Change-Id: I0341e66bd3a8fcbddf9daf7da84187430b5747d6

am: 9337a4dd

Change-Id: Ib3273650207e0b64cdca1d6e0e3bbdf48d292a6b

Test: Test: make cts && \
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
      Fails as expected.
Bug: 36002573

Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0

So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188

am: 0c31c85a

Change-Id: I2e6c151eb6b3413054f52d0dea5ab93c91065319

am: a1c06508

Change-Id: I7e586b6bf9c22ab0380f9982889f0c8c86115df1

"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6

Bug: 36855921
Test: compile, wifi works with toggling
Change-Id: Ib0819a2d552472e482e192a69530441cfc2c0fd7

am: ed82acb9

Change-Id: I2c7dc59f0ea468fba1e34d38a55cc2e8e6cc3289

am: a299bc80

Change-Id: I94b99a1ace48fafeb47280d1d6764cac70fb9464

am: 814edf8c

Change-Id: I9a8cd19a081ab7731f8caf098e406d0af9ce9c48

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

(cherry picked from commit cd97e710)

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

am: 45f699c7

Change-Id: Ib868a803f480a3c756102e59d49275b6eb4e6372

am: 386f9460

Change-Id: Ieba3686f331cfa1c3a0907bf15db188a19d3f140

This CL changes the policy for ASAN files on-disk to support the
changes made by the following CLs -
https://android-review.googlesource.com/#/c/359087/
https://android-review.googlesource.com/#/c/359389/

which refactor the on-disk layout of sanitized libraries in the following
manner -
/data/lib* --> /data/asan/system/lib*
/data/vendor/* --> /data/asan/vendor/*

There are a couple of advantages to this, including better isolation
from other components, and more transparent linker renaming and
SELinux policies.

(cherry picked from commit 33ebdda8)

Bug: 36574794
Bug: 36674745
Test: m -j40 && SANITIZE_TARGET="address" m -j40 and the device
boots. All sanitized libraries are correctly located in /data/asan/*,
and have the right SELinux permissions.

Change-Id: Ib08e360cecc8d77754a768a9af0f7db35d6921a9