avc: denied { sys_resource } for comm="adbd" capability=24
scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=capability

Test: build aosp_sailfish-userdebug
Bug: 78935353
Change-Id: I094e54cbd61245d368f3164e30222dfdff902ffa

Bug: 78517829
Test: build aosp_sailfish-userdebug
Change-Id: I5e1a97b9fb6fa9ff9fd49e1e664769ae70aeda37

When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323

(cherry picked from commit 9e80bfc8)

Change-Id: I934170a67640bb8534c123848468c0861b245eeb

Grant fsetid as it was done for installd. Suppress write to
profile files.

Bug: 77958490
Test: m
Test: manual
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62

The following properties will be whitelisted.
- ro.hdmi.device_type, ro.hdmi.wake_on_hotplug and
persist.sys.hdmi.keep_awake for hdmi
- ro.sf.disable_triple_buffer for SurfaceFlinger
- media.stagefright.cache-params and persist.sys.media.avsync for
nuplayer

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07

Bug: 78591623
Test: Create a new user with a fingerprint. Reboot. Delete that user.
    Check for denials, files left over in /data/*_{c,d}e/10
Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf

In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.

           /------- hal_X --------\
           |               **     |
           v                      v
      hal_X_client           hal_X_server
           |                      |
           |                      |
           v                      v
    halclientdomain        halserverdomain

** - hal_X -> hal_X_server is only on non-Treble devices. This
  is because on these devices, certain HALs are allowed to be
  loaded directly into the client process in "passthrough" mode
  as was the case in Android before Android O. This is a legacy
  compatibility mode. On Treble devices, any client can also be
  hal_X just by virtue of a server being able to also be a hal
  client.

There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.

Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)

Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945

The /dev/ion driver's file operations structure does not specify a
write operation. Granting write is meaningless. This audit statement
has been around since Android Oreo and logs collected from dogfooders
shows that no apps are attempting to open the file with write
permissions.

Bug: 28760354
Test: build
Test: verify no "granted" messages from dogfood devices.
Change-Id: Id4f3540bba8c9f30f9d912f7a7473933be779cbb

This is needed for interface configuration - see e.g. nl80211_configure_data_frame_filters.

Bug: 77903086
Test: WiFi still working

Change-Id: I4b5e2b59eeeb6d0ac19dbcbcf0e7e80942247893

avc: denied { getattr } for path="/data" scontext=u:r:vendor_init:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

Bug: 78345561
Test: build/boot device. Denial is gone.
Change-Id: Ie858f1fe65aeb1845b00a5143c345e81aa2ec632
(cherry picked from commit 6f8d2628)

Test: manual
Bug: 78318738
Change-Id: I45c3511860fbe6a1de45c6930052a8865b38986a

Currently, when vendor APK try to use MediaPlayer to play its audio
resource, it would fail due to this neverallow rules.

avc: denied { read } for path="/vendor/app/TicFitness/TicFitness.apk" dev="dm-1" ino=183 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0

Bug: 78436043
Change-Id: Id910184c16955f9e4e4c8d3bb6eca2253ab59063

Bug: 77965486
Test: run cts -m CtsSecurityHostTestCases -t
    android.cts.security.FileSystemPermissionTest#testDevHwRandomPermissions

Change-Id: Ib5965649e9b2b4bb0259383374dfac76cc0a8bd5
(cherry picked from commit cc541a80)

Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91

This should help fix presubmit tests.

Bug: 78456764
Test: Built policy.
Change-Id: I7ec5afa83417770731d309d5a57b8a94afa24453

This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e

avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0

Bug: 72749888
Test: Boot without seeing the denial.
Change-Id: Iaf3559928473c68066e6a42ba71655a683861901

Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a28440)

Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af

Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b)