These /dev nodes are device-specific and should be labeled from device
policy. Moreover, pixels don't have these /dev nodes.

Bug: 110962171
Test: boot pixel 3
Change-Id: I37ca9a956130eb4763c75f5e8a0decbd4f7b97a7

Test: built, flashed, booted
      Clatd works well
Bug: 119006129

Change-Id: Ie3b2a7b44040755787787ff2b8e6199cac7aec8e

Bug: 111243627
Test: m selinux_policy
Change-Id: I37d03906b93c8810f1d33af736f19fd6ab241c35

Bug: 111276913
Test: manual verification

Change-Id: Icb309bb07e4e4b39cdc912b1d3dc1ece9cb55f5f

Mark the ADB service as a system_api_service so that SystemUI can tell
it that the device is accepted. Refactoring split the AdbService out of
the UsbService. UsbService is marked as an app_api_service which SystemUI
is allowed to connect to; AdbService must be marked similarly as either
system_api_service or app_api_service. However, only system apps should
talk to AdbService currently.

SELinux : avc:  denied  { find } for service=adb pid=1737 uid=10041 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:adb_service:s0 tclass=service_manager permissive=0

Introduced in Change-Id Ibf23964665a115a5bc835820dcff98aaf7ba610f

Test: Flash userdebug, accept ADB key, and replug USB
Bug: 118999282
Change-Id: I47b5090908ed84d0ba7a9fca100b299011bf8796

Allow sgdisk to force the kernel to re-read the partition table.

Addresses the following denial:

avc: denied { ioctl } for path=/dev/block/vold/disk:7,0 dev=tmpfs ino=710640 ioctlcmd=125f scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Bug: 118890056
Test: policy compiles
Test:
  1) adb shell sm set-force-adoptable on
  2) adb shell sm set-virtual-disk true
  3) On device, pick the drop-down notification and
     choose "use as phone/internal storage" to adopt the virtual SD card.
Change-Id: I6825cf526cc48aa2a17afab14eadb6134bfc56f9

A sysprop apexd.status is set by apexd, to that other components (i.e.
init) can determine whether APEXs are all successfully mounted or no
(i.e., being mounted).

The sysprop is only writable by apexd.

Bug: 117403679
Test: adb shell getprop apexd.status returns 'ready'.
Change-Id: I81bcb96e6c5cb9d899f29ffa84f91eab3820be25

Update access_vectors to support newer kernel functionality.
This change does not grant any new access.

Inspired by the following refpolicy commits:
* https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc
* https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf
* https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187

Bug: 118843234
Test: policy compiles
Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202

Require all SELinux domains which have permission to perform ioctls on
/dev/tun explicitly specify what ioctls they perform. Only allow the
safe defaults FIOCLEX and FIONCLEX, which are alternate, uncommon ways
to set and unset the O_CLOEXEC flag.

Remove app's ability to issue *any* ioctls on /dev/tun, period. Add
neverallow assertions (compile time assertion + CTS test) to prevent
regressions.

Limit system_server's ability to perform ioctls on /dev/tun to FIOCLEX,
FIONCLEX, TUNGETIFF, and TUNSETIFF. Testing and source code examination
shows that only TUNGETIFF and TUNSETIFF are used by system_server.

The goal of this change is to put SELinux ioctl controls in place for
/dev/tun, so we don't have to maintain the custom kernel patch at
https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21

Delete the neverallow assertion in isolated_app.te. This is already
covered by the assertion present in app_neverallows.te.

Test: cts-tradefed run cts -m CtsHostsideNetworkTests -t com.android.cts.net.HostsideVpnTests
Test: cts-tradefed run cts -m CtsHostsideNetworkTests
Test: cts-tradefed run cts -m CtsNetTestCases
Bug: 111560739
Bug: 111560570
Change-Id: Ibe1c3a9e880db0bee438535554abdbc6d84eec45

Emulator device can not be considered a full treble device even though
it has PRODUCT_SHIPPING_API_LEVEL = 28. This is prevents us from merging
neverallow rules that implement Treble requirements (aosp/798433). As a
temporary workaround, disable the checks on that variable.

Bug: 112933807
Bug: 113124961
Bug: 111243627
Test: m selinux_policy
Change-Id: I9a29c01dfcbc70e4ba1e4eef233355bc18ec2108

Add support for the HDIO_GETGEO and BLKGETSIZE ioctls when operating on
/dev/block/vold/ block devices.

HDIO_GETGEO is needed by the sgdisk code to get the number of heads on
the disk drive, likely a side effect of the age of this code.
https://android.googlesource.com/platform/external/gptfdisk/+/646af625ced09e5d81e07fe8c02c32017e3cbc07/diskio-unix.cc#193

Addresses the following denial:
  audit(0.0:1775): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x301 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Technically we don't need to grant this, as the sgdisk code will
fall back to using BLKGETSIZE64 if BLKGETSIZE fails.
https://android.googlesource.com/platform/external/gptfdisk/+/646af625ced09e5d81e07fe8c02c32017e3cbc07/diskio-unix.cc#430

Addresses the following denial:
  audit(0.0:1778): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x1260 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Iaa5274721e8a7d1741591570e9e5305723aad640

Already has permissions to remove the scratch partition, but to allow
more refined cleansing (eg: just remove vendor override), need the
ability to mount and scrub overlay directories.

Test: manual
Bug: 117605276
Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f

Test: manual on device
Change-Id: Ibafe1b345489c88a49a7ed3e2e61e5cc5e1880a1

Vendor need to hook bugreport propery as well as dumpstatez.
This CL exports it.

Test: Confirmed verndor can get property trigger hook manually
Bug: 118718191
Change-Id: I64a0e38716fb863ccd8923c6c41a776ea341f2d1
Signed-off-by: Minchan Kim <minchan@google.com>

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f082 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.

Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.

Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02

Create a transient SELinux domain where system_server can perform
certain JIT setup. The idea is that system_server will start in the
system_server_startup domain, setup certain JIT pages, then perform a
one-way transition into the system_server domain. From that point,
further JITing operations are disallowed.

Bug: 62356545
Test: device boots, no permission errors
Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004

This reverts commit 0dd738d8.

Reason for revert: CtsSimpleperfTestCases CTS test case failures.
See b/118704604 for details.

Bug: 112357170
Bug: 118704604
Change-Id: Ibe921f3bbc3404694542ef695883c1a30777d68b

These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Bug: 116802789
Test: fastboot flashall
Change-Id: I38282904828105cf5f16ce9d4b5884d2b0e89d38

This is a temporary measure to disable treble sepolicy tests for
non-compliant targets.

Bug: 113124961
Bug: 111243627
Change-Id: I83d6efad0ff5c7d87a4b990560c390b66aeb3653
Test: m selinux_policy

This reverts commit 8844f28a.

Reason for revert: break build

Change-Id: I853d31465ac7953d2f9c3ee2b0d2ea85a0db621d

This reverts commit 67ed4328.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497

untrusted_app: Remove the ability to run execve() on files within an
application's home directory. Executing code from a writable /home
directory is a W^X violation (https://en.wikipedia.org/wiki/W%5EX).
Additionally, loading code from application home directories violates a
security requirement that all executable code mapped into memory must
come from signed sources, or be derived from signed sources.

Note: this change does *not* remove the ability to load executable code
through other mechanisms, such as mmap(PROT_EXEC) of a file descriptor
from the app's home directory. In particular, functionality like
dlopen() on files in an app's home directory continues to work even
after this change.

untrusted_app_25 and untrusted_app_27: For backwards compatibility,
continue to allow these domains to execve() files from the
application's home directory.

seapp_contexts: Bump the minimum API level required to enter the
untrusted_app domain. This will run API level 27-28 processes in
the API level 27 sandbox. API level 28 will continue to run with
levelFrom=all, and API level 27 will continue to run with
levelFrom=user.

Bug: 112357170
Test: Device boots and no obvious problems.
Test: See CTS test at https://android-review.googlesource.com/c/platform/cts/+/804228
Change-Id: Ief9ae3a227d16ab5792f43bacbb577c1e70185a0

Update the "allowxperm" to reflect the various ioctl() performed in
the vold source code.

Bug: 118437832
Test: atest android.os.storage.cts.StorageManagerTest
Change-Id: Ide3a09104d8b4ce7fa2b7e23e9b215139186f595