This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3

rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address SANITIZE_TARGET_SYSTEM=true
Change-Id: Ic65a858962b4b3dd613fdbfa09f93d21425bf892

Add asanwrapper support for system server under sanitization.

Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0

Bug: 37504387
Test: aaudio example write_sine, needs MMAP support
Change-Id: I7fbd87ad4803e8edbde4ba79220cb5c0bd6e85a0
Signed-off-by: Phil Burk <philburk@google.com>

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

(preemptive cherry-pick of commit: 2f1c7ba7
to avoid merge conflict)

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd
(cherry picked from commit a61f7f60)

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a

The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829

Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi

Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8

Bug: 36463595
Test: Boot sailfish and make sure all vendor services that are shell scripts
      work. (Checke exited status)

Change-Id: I3d1d564114a914dec8179fb93a9e94493c2808da
Signed-off-by: Sandeep Patil <sspatil@google.com>

The vendor toybox MUST always be executed without transition and
non-vendor processes are not allowed to execute the binary.

Bug: 36463595
Test: Boot and test if system shell can run /vendor/bin/echo
      Result: requires 'su'

Change-Id: Ifb9aa61f247f91fb870b99d60ac7f849ee9c6adc
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c112cd18e8999c0242a2560219033231a0e19898)

Bug: 36463595
Test: sailfish boots without new denials

Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)

Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.

Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
      that no audited (granted) avc messages for bluetooth exist in
      in the logs.

Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085

This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc

Test: trigger dumpsys storaged from GMScore
Bug: 37284569
Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176

All HALs which are represented by hal_* attributes in SELinux policy
are required to run in binderized mode on Treble devices. This commit
thus makes the SELinux policy for Treble devices no longer associate
domains in hal_x_client with hal_x attribute, which is what was
granting domains hosting clients of hal_x the rules needed to run this
HAL in-process. The result is that core components have now less
access.

This commit has no effect on non-Treble devices.

Test: Device boots -- no new denials
Test: Play movie using Google Play Movies and Netflix
Test: Play YouTube clip in YouTube app and in Chrome
Test: Unlock lock screen using fingerprint
Test: Using Google Camera, take a photo, an HDR+ photo, record a
      video with sound, a slow motion video with sound. Photos and
      videos display/play back fine (incl. sound).
Test: adb screencap
Test: $ monitor
      take screenshot
Test: In all tests, no deials to do with hal_*, except pre-existing
      denials to do with hal_gnss.
Bug: 37160141
Bug: 34274385
Bug: 34170079
Change-Id: I1ca91d43592b466114af13898f5909f41e59b521

Test: test_aaudio.cpp
Bug: 33398120
Change-Id: I0712f60c898136154d729ceb1103ee021cc6ab82
Signed-off-by: Phil Burk <philburk@google.com>
(cherry picked from commit 8b9d93f2)

As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions.  This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this.  Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4

With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
(cherry picked from commit 665128fa)

Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578

This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

Test: see that logging still works on bullhead

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502

With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521

This reverts commit 97848f05.

Reason for revert: b/37218817

Change-Id: I3280be8873d60d66852b4f01f4af4eeaee6b5502

audioserver uses an always-passthrough Allocator HAL (ashmem / mapper)
whose .so is loaded from /system/lib64/hw.

Test: Modify hal_client_domain macro to not associate client of X HAL
      with hal_x attribute. Play Google Play Movies move -- no denials
      and AV playback works.
Bug: 37160141

Change-Id: I7b88b222aba5361a6c7f0f6bb89705503255a4b1

Bug: 35628284
Test: Boot and call HAL from system_server
Change-Id: I4cdacb601e0eea1f5f0e721c568c7ee04298704f

Bug: 34766843
Test: Boot and call HAL from system_server
Change-Id: Ice78aedfdbe82477a84252499a76dad37887fe6b

Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>

This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d949)

The concept of VNDK-stable set is gone because they no longer need to be
stable across several Android releases. Instead, they are just small set
of system libraries (other than Low-Level NDK) that can be used by
same-process HALs. They need to be stable only during an Android release
as other VNDK libraries. However, since they are eligible for double
loading, we still need to distinguish those libs from other VNDK
libraries. So we give them a name vndk-sp, which means VNDK designed for
same-process HALs.

Bug: 37139956
Test: booting successful with vndk-sp libs in /vendor/lib(64)?/vndk-sp
Change-Id: I892c4514deb3c6c8006e3659bed1ad3363420732

http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.

Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0