Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
(cherry picked from commit 886aa54b)

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc

These denials occur fairly often, causing some logspam.

Bug: 77225170
Test: Boot device.
Change-Id: Icd73a992aee44007d0873743f706758f9a19a112

A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
Merged-In: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
(cherry picked from commit ac8c6e3d)

Give statsd rights to connect to perfprofd in userdebug.

(cherry picked from commit 488030ee)

Bug: 73175642
Test: mmma system/extras/perfprofd
Merged-In: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd

Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16

This allows an optimization that consists in the "perfetto" cmdline
client passing directly the file descriptor for the output trace
to traced (as opposite to having traced streaming back the trace
data to "perfetto" and having that one doing the write() into file).
This reduces sensibly the memory traffic and CPU overhead of traces
with a minor change.

Bug: 73625179
Test: builds + perfetto_integrationtests w/ long_trace.cfg
Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
Merged-In: I81f5a230338ced20dc543fd91c5a0bd0e58725f2
(cherry picked from aosp/648831)

The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.

Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
      atest android.net.cts.TrafficStatsTest
Bug: 75285088

Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6
(cherry picked from aosp commit f83bbd17)

So that perfprofd can send larger packets to dropbox.

Follow-up of commit 3fa95acb.

(cherry picked from commit c9df8437)

Bug: 73175642
Test: m
Test: manual
Merged-In: I88d1f83962243589909ff1ce3d02195e7c494256
Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256

Based on the following audit message:

type=1400 audit(1521738979.005:385): avc: denied { write } for pid=1269
comm="Binder:1269_B" name="timerslack_ns" dev="proc" ino=254190
scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0
tclass=file permissive=1

Bug: 74110604
Test: adb shell dmesg | grep hal_audio_default
Change-Id: I4c2e787588eb9d223d5e50e1bc8f67876de97c2e

This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Merged-In: Iba195d571aec9579195d79d4970f760e417608c6
Bug: b/73340039

To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.

Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305

Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04
(cherry picked from aosp commit 5c95c168)

Test: manual
Bug: 75318418
Merged-In: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7
Change-Id: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7

With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
(cherry picked from commit 41bf08e5)

This should fix audio on non-Treble devices.

Bug: 75949883
Test: Built policy.
Merged-In: I90a4648aaf975d59be36afd5f62c88a015af10f7
Change-Id: I90a4648aaf975d59be36afd5f62c88a015af10f7
(cherry picked from commit 6e8bfa2d)

Bug: 64240127
Test: normal boot a device
Change-Id: I276ba6bc88eabb0d5562e4e96d3860eedb76aed5
Merged-In: I276ba6bc88eabb0d5562e4e96d3860eedb76aed5
(cherry picked from commit af7d85f8)

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I22d29e8476380d19aca1be359e0228ab6bbc3b0f
Merged-In: I22d29e8476380d19aca1be359e0228ab6bbc3b0f
(cherry picked from commit ad6231f5)

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: Ibd71219f60644e57370c0293decf11d82f1cb35c
Merged-In: Ibd71219f60644e57370c0293decf11d82f1cb35c
(cherry picked from commit 1f717b10)

Bug: 64240127
Test: normal boot a device
Change-Id: I3626357237cc18a99511f1ebd9dd3ff5a7655963
Merged-In: I3626357237cc18a99511f1ebd9dd3ff5a7655963
(cherry picked from commit ecf656b0)

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I087292fb23d05fc17272778d668ac78a721b2593
Merged-In: I087292fb23d05fc17272778d668ac78a721b2593
(cherry picked from commit bae1517a)

This change adds the support of odm sepolicy customization, which can
be configured through the newly added build varaible:
    - BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy

Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS
is set. On a DUT, precompiled sepolicy on /odm will override the one in
/vendor. This is intentional because /odm is the hardware customization
for /vendor and both should be updated together if desired.

Bug: 64240127
Test: boot a device with /odm partition
Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
Merged-In: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
(cherry picked from commit 45457e3a)

When extraction exif info, certain file formats may requires
parsing the container. Allow mediaprovider to use extractor
to do the parsing.

bug: 73978990
Test: manually test the scenario in b/73978990 and verify
      the Exif is extracted correctly.

Change-Id: I1cd46d793ebc9c38b816a3b63f361967e551d046
(cherry picked from commit 8e3fef3d)

Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4)

Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90)

Provide read/write access to audioserver for Bluetooth
properties used with A2DP offload.

Bug: 63932139
Bug: 68824150
Test: Manual; TestTracker/148125
Change-Id: I40c932d085ac55bc45e6654f966b2c9d244263d0
(cherry picked from commit 041049bc)

This reverts commit 016f0a58.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2

This reverts commit eeda6c61.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1

Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa)

Sub directories under /odm (or /vendor/odm when there isn't an odm
partition) are labeled so that artifacts under the sub directories are
treated the same as their counterpart in the vendor partition.

For example, /odm/app/* is labeled as vendor_app_file just like
/vendor/app/*.

Bug: 71366495
Test: m -j

Merged-In: I72a14fd55672cd2867edd88ced9828ea49726694
Change-Id: I72a14fd55672cd2867edd88ced9828ea49726694
(cherry picked from commit 2f101551)

Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
(cherry picked from commit ea3cf000)

Bug: 72177715
Bug: 72384374
Test: flash device and make sure incidentd is getting data without SELinux denials
Change-Id: I684fe014e19c936017a466ec2d6cd2e1f03022c0
(cherry picked from commit 06ac7dba)

Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef

This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

avc: denied { getattr } for path="/vendor/framework"
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=dir

Bug: 68826235
Test: boot Taimen, verify denials no longer occur.
Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88

Now that Bluetooth supports delay reporting, audioserver needs
access to Bluetooth Properties in order to determine whether the
feature is enabled or disabled.

Bug: 32755225
Test: Enable the property and see that there was no error accessing it
Change-Id: I519d49deb2df4efb3cc2cce9c6d497db18b50c13

Remove a fixed bug from bug_map.

Bug: 73068008
Test: Built policy.
Change-Id: Id0072788953cb6b939a11caace0158da7799f540

Updates statsd sepolicy so it can use the thermal hal.

Test: verified these policies solved sepolicy issues with thermal hal.
Change-Id: I36839a72494b084d5742c4d83c3ce9814102b974