kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

In cases when a device upgrades to system-as-root from O to P, it needs a mount
point for an already existing partition that is accessed by both system and
vendor.

Devices launching with P must not have /mnt/vendor accessible to system.

Bug: 78598545
Test: m selinx_policy
Change-Id: Ia7bcde44e2b8657a7ad9e0d9bae7a7259f40936f

Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e

Currently, crash_dump has the following line:

  read_logd(crash_dump)

which is a macro defined as:

  #####################################
  # read_logd(domain)
  # Ability to run logcat and read from android
  # log daemon via sockets
  define(`read_logd', `
  allow $1 logcat_exec:file rx_file_perms;
  unix_socket_connect($1, logdr, logd)
  ')

which grants both the ability to talk directly to a logd socket, as well
as the ability to execute the /system/bin/logcat command line tool.

This is unneeded (and problematic) for crash_dump. Crash_dump uses
standard, vndk approved libraries to talk directly to logd. It never
exec()s the (non-vndk approved) logcat command.

As crash_dump is a vndk approved component and executed by vendor code,
allowing this transitively makes /system/bin/logcat a vndk component
too, which we want to avoid.

Instead of using the read_logd() macro, just directly add the
unix_socket_connect() call. This allows talking directly to logd, but
blocks the use of the (unneeded) /system/bin/logcat executable.

Test: crasher binary still works when executed from adb shell
Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345

Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa

Test: manual test

BUG: b/112432890
Change-Id: If703cd25a2c0864ffd49bfdc83821fae291974b5

Test: comments only. Policy compiles.
Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c

The number of block devices used in an Android device is too damn high
(insert meme here). Let's at least add some links to documentation to
help describe the partition layout expected on a typical Android device.

This builds on top of the work in making the bootloader information
accessible (b/28905584).

Test: only adding comments. Policy compiles.
Change-Id: I8976b855e46255f7e18fa2b807ba83e0db92a82d

bug: 113609172
Change-Id: Ifff91630c3622661139ff27f25932258802cb082

These values will be read by platform module (/sbin/charger), and need
to be configurable by vendor init.

Bug: 113567255
Test: Build along with other CLs in the topic (for Makefile and
      libminui changes). Boot into charger mode.
Test: Boot into recovery. Run graphics test.
Change-Id: I5b272f345e2a5a255c2f660c59c1da3245aa1e03

Allow the shared_relro creation process to make calls to PackageManager,
so that it can create a classloader corresponding to the current WebView
implementation. This avoids needing to pass an absolute path to the
native library to the process, which required that the calling code
duplicate existing logic in the framework to find the library and
resulted in bugs and inconsistencies.

Bug: 110790153
Test: WebView-related CTS and GTS tests
Change-Id: I9902bb0400e2a800021dac06278151c8541d458f

But in a very restricted form:
1) Nobody can initiate calls into init
2) Nobody can transfer binder objects into init, except servicemanager

Bug: 112684055
Test: device boots
Change-Id: Icfb218f2871e234284c74e096eccd7a2e786cf94

Allow dumpstate to get information about sockets and dontaudit
accessing vendor files when running df.

Bug: 112440280
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ide3cb2f3ce3f079bf30b3bd46810f9b55e105b2b

Bug: 114017832
Test: m selinux_policy
Change-Id: I1dcb09c76b3e49888d278a154d79add6c6a6c977

adbd is started by an init trigger now when sys.usb.config is set
to adb.

Test: adb sideload works in user/userdebug builds
Bug: 113563995
Change-Id: I23db4074cd49cf0ba6c4eb27510e3a5caad5681b

Bug: 78793464
Test: fastboot flashall

Change-Id: I5b65b818dc43a01f90a38202e3a1b810fef70ca8

Test: Built and flashed an image.
Bug: 113651685
Change-Id: Ide239432ea8a5701d91c00edd06ad3e52560a3f7

audit logs indicate that "append" is still used, but not write.

From ToT master:
avc: granted { append } for comm="tombstoned" scontext=u:r:tombstoned:s0
tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 32064548
Test: build
Change-Id: Id05853a8ae38b84deed4d8bcca5a72c64ce7fd7e

Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f

Bug: 109809543
Test: Build and boot with the new service in the internal branch.

Change-Id: Iaee365771c3e8e5b8f5f3b6112bbf902c6bb02bd

This is needed for flashall -w to wipe userdata.
Bug: 113648914
Test: fastboot erase userdata

Change-Id: I7e89cf885c9a67c78de67b79ed16af7e50104bf7

SELinux has a separate file mmap permission in 4.14+ kernels.  Add this
to profman in cases where it could already access files.

Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc

DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e

llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126

Bug: 72825012

Test: manual
Change-Id: I850c869cdc0ad8735800130bb4a8d67822197ff9

Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5

Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.

Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.

Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.

Bug: 30861057
Test: auditallow statement added in
  f617a404 hasn't triggered.
Test: ran getevent, saw correct output, played with device

Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99

Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f15)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c

Test to see if anyone is writing to /dev/input from the shell.

Bug: 30861057
Test: device boots and no avc granted messages.
Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f

Also move statsd to /public/

Bug: 110538431
Test: manual testing
Change-Id: I58319e169eaab7d997ed3628c3c9709cf7bd0d4a

Bug: 111215474
Test: boots
Change-Id: I98955bcd02f643400c3eb97232467c09a2c5c1e5

Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d)

commit 9b2e0cbe added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609

Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea

mediaserver is receiving a file passed as a file descriptor. Just read
and map is enough, and open should not be allowed for mediaserver.

Bug: 78436043

Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790

This reverts commit 0fd3ed3b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0

Forgotten cleanup item.

Bug: 35870313
Test: making sepolicy (neverallows resolved at compile time)
Change-Id: If9a583c4508db63356869502ec374727afa84b0b

Quotes and backticks are sensitive characters and should never show up
in a comment. Fix comment to avoid the use of a single quote. Also fixes
a bug where certain rules were not getting included in the compiled
policy.

Fixes the following build warnings:

[  3% 3564/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3578/114975] build out/target/product/taimen/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3579/114975] build out/target/product/taimen/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3607/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3677/114975] build out/target/product/taimen/obj/ETC/built_plat_sepolicy_intermediates/base_plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored

Test: policy compiles and no warnings.
Change-Id: Ie32d8b536955b40888b79e3a93851d2ae297f8ee

Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4