Dexoptanalyzer is getting a new mode to instruct installd on which dex
files it needs to open for itself and dex2oat from class loader context.
The file list is communicated by a pipe from a forked dexoptanalyzer
process to the installd parent. Give dexoptanalyzer permission to write
to installd's pipes.

Bug; 126674985
Test: atest installd_dexopt_test
Change-Id: Ic415e2dc543099d26681103c9d368c941d21b49a

This change allows those daemons of the audio and Bluetooth which
include HALs to access the bluetooth_audio_hal_prop. This property is
used to force disable the new BluetoothAudio HAL.
  - persist.bluetooth.bluetooth_audio_hal.disabled

Bug: 128825244
Test: audio HAL can access the property
Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74

This CL fixes leaks of the policy that we're building up. The analyzer
only caught the leaks on the error path, but I assume that
`check_assertions` does nothing to free the object that it's handed.

Analyzer warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'avrule'
[clang-analyzer-unix.Malloc]

system/sepolicy/tools/sepolicy-analyze/neverallow.c:439:9: warning:
Potential leak of memory pointed to by 'neverallows'
[clang-analyzer-unix.Malloc]

Bug: None
Test: Treehugger; reran the analyzer
Change-Id: I79a0c34e8b53d33a1f01497337590eab660ad3ec

Allow the zygote to pick up integrity-checked boot classpath
artifacts from the dalvik cache.

Bug: 125474642
Test: m
Test: manual
Merged-In: I45d760c981c55a52bd0b22c79a9cba4868a09528
Change-Id: I45d760c981c55a52bd0b22c79a9cba4868a09528

Allow the startup domain to pick up integrity-checked artifacts
from the dalvik-cache. The corresponding framework code will
only load the system server classpath.

Bug: 128688902
Test: m
Test: manual
Merged-In: Ib37f8d7c39431e2792eeb4dac1cd732307519827
Change-Id: Ib37f8d7c39431e2792eeb4dac1cd732307519827

- Allow (again) `otapreopt` (running as `postinstall_dexopt`) to
  execute `dex2oat` from `/postinstall` -- this is for the case where
  it is located in a flattened Runtime APEX in
  `/postinstall/system/apex`.
- Allow `dex2oat` to read directories under `/postinstall`.
- Allow `otapreopt_chroot` to unmount flattened APEX packages under
  `/postinstall/system/apex` (which are bind-mounted in
  `/postinstall/apex`).

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 127543974
Bug: 123684826
Bug: 113373927
Change-Id: Ie023ee5c64989ea071e1683f31073a70c93cac18

The following denial caused a presubmit failure:
06-15 15:16:24.176   956   956 I auditd  : type=1400 audit(0.0:4): avc:
denied { read write } for comm="crash_dump64" path="/dev/pts/3"
dev="devpts" ino=6 scontext=u:r:crash_dump:s0
tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Suppress these denials. They are not needed by crash_dump and are only
caused by the default behavior of sharing FDs across exec.

Test: build
Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507

After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.

W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.

Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea

Test: m
Bug: 119800099
Change-Id: Idb4d4c6005e4ff271c1b5940bd39b655b674a0bb

Bug: 126472144
Test: adb shell dumpsys attention
Change-Id: Ie421b719c8fc0414ee664055aa5d007c081edf17

* changes:
  Sepolicy: Allow otapreopt_chroot to find linker
  Sepolicy: Move otapreopt_chroot to private

The linker is behind a symlink. Allow to read and follow.

Bug: 128840749
Test: m
Test: manual a/b ota
Test: DexoptOtaTests
Change-Id: I15bd76e517ab3cebf13ebd42ff6e5dae42364c83

Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da

Suppress noise associated with test mounting scratch partition.

Add internal fs_mgr_is_ext4 and fs_mgr_is_f2fs to get heads up on
mount failures and thus bypass trying.  Resolve all the avc
complaints associated with overlay handling including these new
operations.

Test: adb-remount-test.sh
Bug: 109821005
Change-Id: Ieb1f8c19ced930b6fe2d1791ef710ce528da7e37

The file descriptors for /dev/zero are no longer open. However,
a descriptor to the shell is still inherited. Update the comment.

Bug: 126787589
Test: m
Test: manual
Change-Id: I0d4518d2ba771622ea969bbf02827db45788bc09

This is a partial revert of https://android-review.googlesource.com/c/platform/system/sepolicy/+/891474

The mount points at /bionic are gone. Therefore, init and
otapreopt_chroot do not need to bionic-mount bionic libraries.
Corresponding policies are removed.

Bug: 125549215
Bug: 113373927
Bug: 120266448
Test: m; device boots
Change-Id: I9d9d7ec204315fb5b66beec4e6a3c529bd827590

Set the apex_key context for files in
/product/etc/security/apex/ and
/system/product/etc/security/apex/.

The apexd code is already looking for public keys in these locations,
but the apex_key context needs to be set to make them accessible from
apexd.

Bug: 127690808
Test: manual - verified that key files had proper SE-Linux label
Change-Id: Ib15728fa97eb438ea97a9743a06fa46e4d54f1cd

Bug: 128037879

Test: Camera HAL is able to read ro.serialno

Change-Id: I904c852a7100bc65456ee63ffb31d70681293d7d
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>

Bug: 126724929

Change-Id: I15f0ae10d5e45fc65850635230e377b6f77ad4d7

Allow everyone to look for keys in the fsverity keyring. This is
required to access fsverity-protected files, at all.

This set of permissions is analogous to allowances for the fscrypt
keyring and keys.

Bug: 125474642
Test: m
Test: manual
Change-Id: I6e8c13272cdd76d9940d950e9dabecdb210691b1

This CL add new label for files created by fsverity.

Bug: 112038861
Test: ls -Z /proc/sys/fs/verity/require_signatures.
Change-Id: I8e49ad9a43282bc608449eb0db4ea78617c4ee9a

Init needs to be aware of the policy version defined in sepolicy
for on-device compilation.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: Iba861aeb4566405aedcbe3c2bad48e1e50126370

With the CLs in the same topic, it's being built as a dynamically linked
executable. And this applies to normal boot (including charger mode) and
recovery mode both.

/system/bin/charger under normal boot will be labeled as charger_exec,
which has the attribute of system_file_type.

The file in recovery image will still be labeled as rootfs. So we keep
the domain_trans rule for rootfs file, but allowing for recovery mode
only.

Bug: 73660730
Test: Boot into charger mode on taimen. Check that charger UI works.
Test: Boot into recovery mode. Check that charger process works.
Change-Id: I062d81c346578cdfce1cc2dce18c829387a1fdbc

Test: n/a
Bug: 126330086

Change-Id: I34d5085d8e6546d77cc854e27ca849462d482396
Merged-In: I34d5085d8e6546d77cc854e27ca849462d482396

To query filesystem checkpointing state.

Bug: 126740531
Test: no denials
Change-Id: I28a68b9899d7cb42d7e557fb904a2bf8fa4ecf66

avc: denied { read } for comm="crash_dump64" name="v4l-touch22"
dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0
tcontext=u:object_r:input_device:s0 tclass=chr_file

Test: build
Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877