Grant for icmp_socket for devices with 4.14 or greater kernel, and
rawip_socket for devices with earlier kernels.

Bug: 122572608
Test: build
Change-Id: I1c9d2ce6761dbd2c4db3635600c5f5c335461083

Change-Id: If4e550e4186415c5a1088bb53b0755b69f92560a
Signed-off-by: Joel Fernandes <joelaf@google.com>

init needs to execute bpfloader as a one-shot service. Add sepolicy for
the same. Also update old rules allowing init to fork/exec bpfloader and
remove rules allowing netd to do so.

Bug: 112334572
Change-Id: Ic242cd507731ed8af3f8e94d4fccc95819831d37
Signed-off-by: Joel Fernandes <joelaf@google.com>

bpfloader needs to load bpf programs with tracepoints in them. The
tracepoint programs are not activated but are just loaded and pinned.
The kernel expects the process doing this to have CAP_SYS_ADMIN. Since
bpfloader was intended to be a 1-shot run and exit process with security
privileges, lets assign it CAP_SYS_ADMIN so that it is able to load the
tracepoint programs.

Bug: 112334572
Change-Id: Icf9b5d95615e69f5c28dc28f021b07f49710c97d
Signed-off-by: Joel Fernandes <joelaf@google.com>

Vendor domains may use net_domain() so it should be moved to public
policy. This will allow removal of permissions such as rawip_socket
in future releases without breaking Treble compatiblity.

Bug: 122572608
Test: build
Change-Id: Id84feb11587d305334cd9dbbc6e4f6f71ffff6f2

The original fs-verity implementation requires CAP_SYS_ADMIN and thus
the actual setup is proxied through installd.  Instead, upstream
FS_IOC_ENABLE_VERITY ioctl checks write permission to inode, and thus
can happen in system_server.

Also, replace the old measure ioctl with FS_IOC_SET_VERITY_MEASUREMENT.
Note that although the number is name, they work differently.

Test: set ro.apk_verity.mode=2, in-progress CTS passed without denial
Bug: 112037636
Change-Id: I3e8d14321df8904dfed68b83aae8b3dd99c211ac

There are multiple trusted system components which may be responsible
for creating executable code within an application's home directory.
Renderscript is just one of those trusted components.

Generalize rs_data_file to app_exec_data_file. This label is intended to
be used for any executable code created by trusted components placed
into an application's home directory.

Introduce a typealias statement to ensure files with the previous label
continue to be understood by policy.

This change is effectively a no-op, as it just renames a type, but
neither adds or removes any rules.

Bug: 121375718
Bug: 112357170
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0

update_engine no longer needs a standalone bspatch executable since [1]
(which first landed into O). And we don't ship /system/bin/bspatch on
device by default.

[1] https://android-review.googlesource.com/c/platform/system/update_engine/+/327365

Test: Verify that /system/bin/bspatch doesn't exist on device.
Test: Trigger an A/B OTA install for aosp_walleye-userdebug:
      `m dist`;
      `system/update_engine/scripts/update_device.py out/dist/aosp_walleye-ota.zip`.
      No update_engine related denial.
Change-Id: Iff578bdb0b1909092dd19feff069755a44d29398

This was a regression in Q, and the file is an implementation of
liblog.

Bug: 113083310
Test: use tags from vendor and see no denials

Change-Id: I726cc1fcfad39afc197b21e431a687a3e4c8ee4a

Rename AlternativeNetworkService to OpportunisticNetworkService
Bug: 118347827
Test: compile
Merged-In: I23b0caadd1801c104806fa438fc9054d8a31962e
Change-Id: I23b0caadd1801c104806fa438fc9054d8a31962e

For persistent properties related to apexd.

Bug: 121302351
Test: apexd can get the prop
Change-Id: Id9fd25923385188f46a9804155168c52f6b1187e

Add the required permissions for the InputClassifier HAL.

Bug: 62940136
Test: no selinux denials in logcat when HAL is used inside input flinger.
Change-Id: Ibc9b115a83719421d56ecb4bca2fd196ec71fd76

Bug: b/122620633
Test: m
Change-Id: I36fe66fc22a1664f9ef25c66f933a2613a6f346b

When recording hour-long traces, logcat messages help
to interpret the trace, giving human readable context on what
is happening on the system.
Furthermore this is particularly helpful for startup
debugging thanks to activity manager instrumentation events
(am_on_create_called, am_on_start, ...).
This is only allowed on userdebug/eng builds.

Bug: 122243384
Change-Id: I4dfaebf21107e9853b0bf42403fbab6c3b4d5141

Bug: 116512211
Test: Builds, boots, including upcoming changes needing this
Change-Id: I6f119368c5a4f7ac6c0325915dff60124c5a6399

The way we build and run CTS expects full_treble_only and
compatible_property_only macros to be applied to whole rules and not be
nested inside other rules.

Fixes: 122601363
Test: corresponding neverallow rule in auto-generated
SELinuxNeverallowRulesTest.java is parsed correctly.
Change-Id: Ibf5187cedca72510fe74c6dc55a75a54a86c02ff

runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile
debuggable apps. But it misses permissions to ptrace app processes and
read /proc/<app_pid> directory.

Bug: none
Test: build and boot marlin.
Test: run lldb and simpleperf on apps with target sdk version 24-29.
Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0

Bug: 33308258
Test: atest CtsSelinuxTargetSdk25TestCases
Change-Id: Ifeceecec7b2f38ebd38b6693712b8f65ee24dc5d

Recent change in netd and bpfloader switched the creater of bpf maps
from netd to bpfloader. Change the rules related to it to make sure it
doesn't fail.

Test: dumpsys netd trafficcontroller
Bug: 112334572
Change-Id: I016ff68b58ef7b12bdfdebc2fd178be1d0206a62

Bug: 119305624
Test: normal/recovery boot aosp_taimen

Change-Id: I46da995886ce421bb87e741d577f659426ff79c4

Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: I15aa275fa658b58f5a5d3e651d164f9fcd87c0af

Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: Ia8d69be16011db8dd63fa41672449a4ade7302c2

Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: Ib7a29a9f8f23dd917cc25c23c7612f9e4ae36ea0

Bug: 119305624
Test: normal/recovery boot aosp_taimen
Change-Id: I1009745686acd51563378dac56e857be0d60e794

For consistency with APKs, signature verification is performed
in the system_server. This includes checking that the signature of
an updated install matches the signature of the active package that
it updates. For this, it requires search access to /data/apex and
read access to the files under that directory.

Test: m
Change-Id: Ia073adb8892886e4767fa5529e95c110b9cbff1b

Test: flashed, booted, verified app running properly
Bug: b/112869080
Change-Id: I10737736ca5da67ef08fca1055e0f702371aba58

Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac

Used for e.g. abb.

Test: Build, flash and boot, use `adb abb` to verify

Change-Id: I4ad75498819edbcc0303f66420a58d06788ab5fb

This was originally implemented in commit
89041472 and reverted in commit
fa3eb773. This effectively reverts the
revert, with minimal changes to cope with the subsequent reversion of
commit b3624743.

Auditing is only enabled for apps targeting API <= 28.

Test: Compiles, audit messages are seen.
Bug: 121333210
Bug: 111338677
Change-Id: Ie38498a2b61f4b567902117f9ef293faa0e689dd

Make /(product|system/product)/vendor_overlay/<ver> have the vendor
file context.

If vendor_overlay requires to mount on the vendor directories other
than 'vendor_file', the contexts must be defined in the device
specific sepolicy files.

Bug: 119076200
Test: build and check if the files are overided and have the required
sepolicy contexts.

Change-Id: I69ed38d4ea8e7d89f56865b1ca1e26f290e9892d

Notes:
- Added face hal domain, context and file types for the default
  SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"

Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a

This reverts commit 9eb3b8ff.

Reason for revert: We are deciding for now not to make StagingManager a fully-fledged binder service, as it will only be accessed by PackageInstaller. We might re-evaluate this decision later if needed.

Bug: 122072686
Change-Id: Ic2a53fc92ddd7d7eeccc6a4a0117f28724346ec7

Adding a new high-level service which will handle staged installs, i.e.
installs that require a reboot.

Bug: 118865310
Test: An initial implementation of StagingManager can be reached
successfully by PackageManagerService and PackageInstallerService.
Change-Id: I8859b463575f8ee85caae43570958347b82f967e

Test: manually verified SensorPrivacyService is accessible
Bug: 110842805
Merged-In: Idd215f338f2da0dab4898ea06fa08d9b4a1bcb5f
Change-Id: Idd215f338f2da0dab4898ea06fa08d9b4a1bcb5f
(cherry picked from commit 0ac3dea7)

This reverts commit b3624743.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots

This reverts commit 89041472.

Unittest failures of JvmtiHostTest1906#testJvmti. To do a clean revert
of b3624743, we need to also revert this
change.

Test: compiles
Bug: 121333210
Bug: 111338677

Add "rs" and "rs_exec" types to public policy. Access
to these types might be needed for device specific
customization.

Bug: 121306110
Test: Manual using application
Change-Id: Ief35d3353625adfbf468447de74aa80651dd9451

Arbitrary apps need to connect to heapprofd in order to send samples.

Relevant denial trying to profile com.google.android.inputmethod.latin
on userdebug:

12-20 14:50:20.420 25219 25219 I heapprofd: type=1400 audit(0.0:1006): avc: denied { read } for path="/proc/24819/mem" dev="proc" ino=244219 scontext=u:r:heapprofd:s0 tcontext=u:r:untrusted_app_27:s0:c133,c256,c512,c768 tclass=file permissive=1

Bug: 121370989

Test: m
Test: flash walleye
Test: profile com.google.android.inputmethod.latin

Change-Id: Iee82c8c49951e5a5726cd5ab0b9e8fa71226c802

The policies allow the system server to register a network_stack_service
used to communicate with the network stack process.

Test: atest FrameworksNetTests
Bug: b/112869080
Change-Id: Ib9b7d9150fe4afcce03c8b3dbb36b81c67e39366

The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.

Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597