Addresses the following denial:

avc: denied { ioctl } for comm="top" path="/dev/pts/0" dev="devpts"
ino=3 ioctlcmd=5402 scontext=u:r:shell:s0 tcontext=u:object_r:devpts:s0
tclass=chr_file permissive=0

Bug: 33073072
Bug: 7530569
Test: policy compiles.
Change-Id: If9178d29f2295be46bb118df00ebf73a6ebc9f81

In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Needed for legacy VPN access.

Note that ioctl whitelisting only uses the type and command fields
of the ioctl so only the last two bytes are necessary, thus 0x40047438
and 0x7438 are treated the same.

Bug: 30154346
Change-Id: I45bdc77ab666e05707729a114d933900655ba48b

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Needed for legacy VPN access.

Note that ioctl whitelisting only uses the type and command fields
of the ioctl so only the last two bytes are necessary, thus 0x40047438
and 0x7438 are treated the same.

Bug: 30154346
Change-Id: I45bdc77ab666e05707729a114d933900655ba48b

Per "man socket":

  SIOCGSTAMP
  Return a struct timeval with the receive timestamp of the last packet
  passed to the user. This is useful for accurate round trip time
  measurements. See setitimer(2) for a description of struct timeval.
  This ioctl should only be used if the socket option SO_TIMESTAMP is
  not set on the socket. Otherwise, it returns the timestamp of the last
  packet that was received while SO_TIMESTAMP was not set, or it fails
  if no such packet has been received, (i.e., ioctl(2) returns -1 with
  errno set to ENOENT).

Addresses the following denial:

avc: denied { ioctl } for comm=6E6574776F726B5F74687265616420
path="socket:[42934]" dev="sockfs" ino=42934 ioctlcmd=8906
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=0

Bug: 29333189
Change-Id: I916a695fa362cf1cf6759629c7f6101e9f657e7d

TIOCGWINSZ = 0x00005413

avc: denied { ioctl } for comm="ls" path="socket:[362628]" dev="sockfs" ino=362628 ioctlcmd=5413 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

Bug: 28171804
Change-Id: I460e2469730d0cd90d714f30803ef849317d4be7

(cherry picked from commit 6ba383c5)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

Move from privileged macro to unprivileged.

Bug: 28164785
Change-Id: Ide39dc0009871c209249a41e574e84009ac47380

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

Addresses
avc: denied { ioctl } for path="socket:[69748]" dev="sockfs" ino=69748
ioctlcmd=8933 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket

Change-Id: Iee3821ade9dc044fa03705902923ed18c91425dd

Remove untrusted/isolated app access to device private commands.

Only allow shell user to access unprivileged socket ioctl commands.

Bug: 26324307
Bug: 26267358
Change-Id: Iddf1171bc05c7600e0292f925d18d748f13a98f2

Enforce via neverallow rule by adding WAN_IOC_ADD_FLT_RULE
and WAN_IOC_ADD_FLT_RULE_INDEX to neverallow macro.

Bug: 26324307
Change-Id: I5350d9339e45ddeefd5423c3fe9a0ea14fe877b2

Reduce the socket ioctl commands available to untrusted/isolated apps.
Neverallow accessing sensitive information or setting of network parameters.
Neverallow access to device private ioctls i.e. device specific
customizations as these are a common source of driver bugs.

Define common ioctl commands in ioctl_defines.

Bug: 26267358
Change-Id: Ic5c0af066e26d4cb2867568f53a3e65c5e3b5a5d

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls

Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c