Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3

Access is deprecated for apps with targetSdkVersion=26+.

Test: build (neverallow rules are build time assertions)
Change-Id: I36480c38d45cf6bfb75f4988ffcefefc6b62d4b1

Bug: 78793464
Test: fastboot flashall

Change-Id: I5b65b818dc43a01f90a38202e3a1b810fef70ca8

Test: Built and flashed an image.
Bug: 113651685
Change-Id: Ide239432ea8a5701d91c00edd06ad3e52560a3f7

audit logs indicate that "append" is still used, but not write.

From ToT master:
avc: granted { append } for comm="tombstoned" scontext=u:r:tombstoned:s0
tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 32064548
Test: build
Change-Id: Id05853a8ae38b84deed4d8bcca5a72c64ce7fd7e

Not needed for modern Android versions. These rules are really, really
old.

Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f

When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.

Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
  /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
  All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef

Bug: 109809543
Test: Build and boot with the new service in the internal branch.

Change-Id: Iaee365771c3e8e5b8f5f3b6112bbf902c6bb02bd

This is needed for flashall -w to wipe userdata.
Bug: 113648914
Test: fastboot erase userdata

Change-Id: I7e89cf885c9a67c78de67b79ed16af7e50104bf7

SELinux has a separate file mmap permission in 4.14+ kernels.  Add this
to profman in cases where it could already access files.

Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc

DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.

Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e

llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126

This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5

Test: make with WITH_TIDY=1 and clang-analyzer-* checks.
Change-Id: Ide1eaf8880132c566545710e6287f66a5a2b393c

Bug: 72825012

Test: manual
Change-Id: I850c869cdc0ad8735800130bb4a8d67822197ff9

Test: compile
Bug: 64114943
Change-Id: I1d20cc027dbd1a94e2a79b6aebdd265cefe8a6a5

Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.

Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.

Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.

Bug: 30861057
Test: auditallow statement added in
  f617a404 hasn't triggered.
Test: ran getevent, saw correct output, played with device

Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99

Remove permissions and add neverallow assertion.

(cherry picked from commit f1554f15)

Bug: 110107376
Test: kill -6 <components excluded from ptrace>
Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c

Test to see if anyone is writing to /dev/input from the shell.

Bug: 30861057
Test: device boots and no avc granted messages.
Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f

Also move statsd to /public/

Bug: 110538431
Test: manual testing
Change-Id: I58319e169eaab7d997ed3628c3c9709cf7bd0d4a

Bug: 111215474
Test: boots
Change-Id: I98955bcd02f643400c3eb97232467c09a2c5c1e5

Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d)

commit 9b2e0cbe added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609

Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea