Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837

Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7

Bug: 80414790
Test: boots
Change-Id: I15233721fa138e0fdf1a30f66d52b64cbab18b81

Bug: 72458734
Test: Compile current system sepolicy with P vendor sepolicy
Test: Plug in a P device then do:
m selinux_policy
cp $OUT/system/etc/selinux/plat_sepolicy.cil  plat_sepolicy.cil
cp $ANDROID_BUILD_TOP/system/sepolicy/private/compat/28.0/28.0.cil 28.0.cil
adb pull /vendor/etc/selinux/plat_pub_versioned.cil
adb pull /vendor/etc/selinux/vendor_sepolicy.cil
secilc plat_sepolicy.cil -m -M true -G -N -c 30 28.0.cil \
plat_pub_versioned.cil vendor_sepolicy.cil
Change-Id: I399b3a204eb94bee0ba1b5024b1c3463219c678e

This is so we can get data on which apps are actually doing this.

Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea

Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c

Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3

Add selinux policy for the new Binder-based vr flinger vsync service.

Bug: 72890037

Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.

- Confirmed the CTS test
  android.security.cts.SELinuxHostTest#testAospServiceContexts, when
  built from the local source tree with this CL applied, passes.

- Confirmed the CTS test
  android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
  when built from the local source tree with this CL applied, passes.

Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06

Bug: 110900684
Change-Id: I9fd141e0d56d0135c563467b7ca2f08b6af6700b`

Export /proc/sys/kernel/perf_cpu_time_max_percent and
/proc/sys/kernel/perf_event_mlock_kb in proc_perf. So
they can be read in shell and written by init.

This is needed by simpleperf to control cpu percent and
memory used for profiling.

Bug: 110706031
Test: build and boot hikey960 successfully.

Change-Id: I2a01f583508003ab73427bab30a7982a27dfa677

Test: adb logcat | grep "Wrong interface type."

Bug: 77924251
Change-Id: Idf9d7ae6db0d41bb0c2f94b2183bfe23f0c21155

This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861

Suppress selinux logspam for non-API files in /sys.

Bug: 110914297
Test: build
Change-Id: I9b3bcf2dbf80f282ae5c74b61df360c85d02483c

Bug: 110808288
Test: device boots with /mnt/product present and selinux label
      mnt_product_file applied correctly.

Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98

Bug: 110757800
Test: none
Change-Id: I2627c43fc45a78c936fa4a7ca968c606c89b9728

Test: ls -laZ /vendor/bin/hw/android.hardware.bluetooth*
Change-Id: I394594ad041f87583ca6b5b44d836cfab5da8103
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Merged-In: I394594ad041f87583ca6b5b44d836cfab5da8103

Bug: 110230810
Test: N/A
Change-Id: Ide135dd5a8da05f0ea639bf03ce9612862108225

This reverts commit b5dc6137.

Reason for revert: Reverted incorrect change

Change-Id: Ieafa3338e28ffeed40bcceb73486cffbfbd08b9d

This reverts commit faebeaca.

Reason for revert: broke the build

Change-Id: I3d61ce011ad42c6ff0e9f122de3daa37e846407a

This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.

Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
      devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192

This property is read by the audio service in system server to toggle
camera shutter sound enforcement on a device-specific basis.

Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3

This adds a label for system properties that will affect system-wide
time / time detection logic.

The first example will be something like:
persist.time.detection_impl_version

Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a

When we have wide color gamut content, SurfaceFlinger might want to send a
PowerHint through Power Hal to boost GPU to higher frequency, to make sure GPU
composition can finish in time.

BUG: 110112323
Test: adb shell cat /sys/class/kgsl/kgsl-3d0/devfreq/cur_freq
Change-Id: If60c13aedc4ff84eaefd3430794dc15a478c5a73

Grant access to icmp_socket to netdomain. This was previously
labeled as rawip_socket which apps are allowed to use. Neverallow
all other new socket types for apps.

Kernels versions > 4.9 redefine ICMP sockets from rawip_socket
to icmp_socket. To pass neverallow tests, we need to define
which IOCTLs are allowed (and disallowed).

Note that this does not change behavior on devices with
kernel versions <=4.9. However, it is necessary (although not
sufficient) to pass CTS on kernel version 4.14.

Bug: 110520616
Test: Grant icmp_socket in net.te and build.
Change-Id: I5c7cb6867d1a4cd1554a8da0d55daa8e06daf803

Like /system and /product, /product-services will contain apps that
should have the same privileges as the one in other system partitions.

Bug: 80741439
Test: successfully tested e2e on two devices, one with
/product-services partition and another with /product-services
symlinking to -> /system/product-services
Change-Id: Ieee7a9a7641a178f44bb406dbdef39ed46713899

Add sepolicy entries for the new time zone detector service.

The timezonedetector_service will be called from the
telephony process.

Bug: 78217059
Test: make / booted device
Change-Id: Ib719a4bb444b2af7dd71910fb0bd12992df9d88c

There will likely be no need for platform apps
to call the timedetector_service; it was added
in error.

Bug: 78217059
Test: build / boot
Change-Id: Ie299c92a60f26fe6cb00562219e386a9f13e459f

init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5

To ensure a surprise reboot does not take the last boot reason on
face value especially if coming from more than one boot sessions ago.
We shift and clear the value from persist.sys.boot.reason to
sys.boot.reason.last and establish a correct last reboot reason in
the canonical sys.boot.reason property.  As a result, the power
manager should read the canonical sys.boot.reason for a definitive
result rather than relying on the possibly incorrect values in the
persistent storage.  sys.boot.reason should be a core property as
it represents the canonical boot reason API.

Test: compile
Bug: 86671991
Bug: 63736262
Change-Id: If3742c487d6c0ab69c464f056bf48c786b66a945

The shell is now available directly in the recovery ramdisk. We no
longer need to mount system.img to /system as the recovery ramdisk is
self-contained. However, there is a problem that every file in the
ramdisk is labeled as rootfs because the ramdisk does not support xattr.

This CL adds several recovery-only rules that are required to make the
recovery ramdisk self-contained. Most importantly, adbd is allowed to
domain_trans to shell. Also shell is allowe to execute files of type
rootfs. Finally, the recovery is allowed to mount on tmpfs since it now
mounts system.img to /mnt/system.

Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.

Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e

This change removes references to the common time management
service.

Bug: 80462439
Test: build / boot
Merged-In: I2c8fca44fe05e3a35f5580d23e23a4c033075613
Change-Id: I2c8fca44fe05e3a35f5580d23e23a4c033075613

Bug: 80414790
Test: boots
Change-Id: I3d6bb4e7da9d697ec8ff7502880543be89aee349

This commit contains the changes needed to add the new
time detector system server service.

Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7

Clatd and zygote
are all overprivileged
as is storaged

Test: Verify no "granted" messages from dogfooders. Build flash
aosp_taimen-userdebug. Verify no denials.
Change-Id: I735adcffed553962ad12072716a7200883930dcf

The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.

Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59

Before, it was possible to access a hwservice without declaring
that you were a client.

This introduces the following macro:
hal_attribute_hwservice_client(hal_foo, hal_foo_hwservice)

which makes sure the above implication holds using a neverallow rule.

Bug: 80319537
Test: boot + sanity
Change-Id: Iededae68f14f0f3bd412c1205aa3b650a54d55c6

(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e

In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046

Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e)

The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.

Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.

Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708
Merged-In: I793c6f54cd9364f33853983f8c5dfb28b98c2708