This reverts commit b3624743.

Reason for revert:

android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures.

Bug: 121333210
Bug: 112357170
Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74
Test: compiles and boots

This reverts commit 89041472.

Unittest failures of JvmtiHostTest1906#testJvmti. To do a clean revert
of b3624743, we need to also revert this
change.

Test: compiles
Bug: 121333210
Bug: 111338677

Arbitrary apps need to connect to heapprofd in order to send samples.

Relevant denial trying to profile com.google.android.inputmethod.latin
on userdebug:

12-20 14:50:20.420 25219 25219 I heapprofd: type=1400 audit(0.0:1006): avc: denied { read } for path="/proc/24819/mem" dev="proc" ino=244219 scontext=u:r:heapprofd:s0 tcontext=u:r:untrusted_app_27:s0:c133,c256,c512,c768 tclass=file permissive=1

Bug: 121370989

Test: m
Test: flash walleye
Test: profile com.google.android.inputmethod.latin

Change-Id: Iee82c8c49951e5a5726cd5ab0b9e8fa71226c802

The policies allow the system server to register a network_stack_service
used to communicate with the network stack process.

Test: atest FrameworksNetTests
Bug: b/112869080
Change-Id: Ib9b7d9150fe4afcce03c8b3dbb36b81c67e39366

The networking stack app hosts services that used to be in the system
server (IpClient, NetworkMonitor for now), but in a different process to
be packaged as a mainline module.

Test: booted, verified networking stack working when in app
Change-Id: I300a556f51b35c17378af961cea1ec937444e597

To configure read-ahead on loop devices, eg.
/sys/devices/virtual/block/loop0/queue/read_ahead_kb

Bug: 120776455
Test: configuring read-ahead on loop devices works from apexd
Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58

The bcc command line uses /data/user/0 paths, so renderscript needs to
be able to follow those symlinks.

Addresses the following denial:

  audit(1545249938.830:2274): avc: denied { read } for comm="bcc" name="0" dev="dm-6" ino=101 scontext=u:r:rs:s0:c184,c256,c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=1 app=android.rscpp.cts

Test: cts-tradefed run cts -m CtsRsCppTestCases
Bug: 121266184
Bug: 112357170
Change-Id: I16210f9b95f386bdee0863cf0044c956af99586d

Bug: 119305624
Test: boot blueline
Change-Id: I3ecdeab3bb33c3cb5e80dc10ba1079c9853048f8

Bug: 120865921
Test: Manual verification
Change-Id: Ic0b3f85fad24ccedc0a8e9935c198bc8503bb415

We're creating a new PermissionManagerService that will handle
all of the permission related APIs. These are currently being
routed through PackageManagerService.

Test: Device boots
Change-Id: I7d08561dd33b692209c30d413cdca0ff567358f1

rss_hwm_reset is binary that reset RSS high-water mark counters for all
currently running processes. It runs in a separate process because it
needs dac_override capability.

Bug: 119603799
Test: no errors in logcat
Change-Id: I6221a5eca3427bf532830575d8fba98eb3e65c29

Bug: 111276913
Test: manual verification

Merged-In: If76dc7bfdad87789a58fc94e0fd280deae1a41ab
Change-Id: If76dc7bfdad87789a58fc94e0fd280deae1a41ab
(cherry picked from commit 73e7fa88)

On debug builds, introduce audit logging of apps targeting SDK <= 28
that execute native code from a non-priv app home directory via
execve() or dl_open().

Bug: 111338677
Test: Builds + boots.
Test: Launch app that uses private .so files, see granted logs.
Change-Id: I5880801d3a29cbf2c1cf4e0d72adc69a9d548952

To work around a kernel bug where pages that are read before changing
the loop device offset are not invalidated correctly.

Bug: 120853401
Test: apexd mounts APEX files on gphone_sdk_x86_64
Change-Id: I89f23f8f9d472e599f053553b73cc0618dcb3747

When daemonizing perfetto, SIGINT should be sent to ensure clean
shutdown.

Denial:
12-06 11:12:16.566  3099  3099 I sh      : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1

Test: m
Test: flash walleye
Test: SIGINT perfetto from shell

Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce

Bug: 111789719
Test: manual
Change-Id: I5a5c1da69fd5d55e3276bb7384a94b9831e3cccd

Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4

When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3

This is analoguous to what Perfetto does with persist.traced.enable.

Test: m
Test: flash walleye
Test: setprop persist.heapprofd.enable 1
      setprop persist.heapprofd.enable 0

Change-Id: I997272ef8c6fe078aca2388ed0cf2ecc3de612a5

- Update policy for new system service, used for SystemUI/Apps to
  present predicted apps in their UI.

Bug: 111701043
Test: manual verification
Change-Id: Ia3b5db987097d2d71bf774ca550041e03214471d

This reverts commit 461d91fe.

Reason for revert: breaks git_pi-dev-plus-aosp

Change-Id: I8a42dc040a112f0774f31486a8da2a26e1e68a30

Bug: 116754732
Test: Started a trace in Traceur using Perfetto successfully.

Change-Id: I217857bf1f43f1b7b24454687d1f26b9d5c6c56a

Bug: 118510237
Test: Boot and test callback on ThermalHAL 1.1 and ThermalHAL 2.0

(cherry picked from commit 75cc6bf2)

Change-Id: Iafb376e61dc579c3bfd173ac34a4d525b83d8e5c

Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0

These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.

Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753

Add a DeviceConfig service in system_server to edit configuration flags.
This is intended to be a command line tool for local overrides and/or
tool for tests that adopt shell permissions.

Test: None
Bug:109919982
Bug:113101834
Change-Id: Ib7bed752849b1ed102747e3202dd7aed48d2c6d5

I572ea22253e0c1e42065fbd1d2fd7845de06fceb introduced a whitelist, so
everything under tracing/ is assumed to be debugfs_tracing_debug
unless explicitly marked as debugfs_tracing.

Test: Device boots, labels under /sys/kernel/debug/tracing are unchanged.
Change-Id: Id0f0cbcc9e5540551bd2906fbf75f8e939dc4d4c

Allow traced_probes to read /sys/kernel/debug/tracing
directories in userdebug mode. We read the directory when enabling
events with the wild card syntax: "oom/*" which attmpts to read the
directory /sys/kernel/debug/tracing/events/oom to work out what oom
events exist.

Denial:
  avc: denied { read } for name="oom" dev="tracefs" ino=11353
  scontext=u:r:traced_probes:s0
  tcontext=u:object_r:debugfs_tracing_debug:s0 tclass=dir
  permissive=0

Bug: 119662403
Test: perfetto -t 10s 'oom/*' -o /data/misc/perfetto-traces/trace
Change-Id: I2cb171c3c5292d2eb55e71376f965b924a563572

After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be

This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I5414141a1557d71e3ac0cf5bc89529685e9069c3

An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e

The isolated service that do nothing except for both AIDL's basic
skeleton and service binding. It still got the SELinux denied.
This should fix presubmit test.

01-01 00:00:29.196  6121  6121 I auditd  : type=1400 audit(0.0:6):
avc: denied { getattr } for comm="convert.service"
path="/data/data/com.android.externalstorage" dev="sda35" ino=655437
scontext=u:r:isolated_app:s0:c0,c256,c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0

Test: ag/5681059 ag/5660144
Bug: 120394782
Change-Id: I7838def96da30b88d510dab860ed9779a0d4d5ed

Adds the necessary incantations for the new service.

Bug: 118242715
Bug: 119026403
Test: build / boot / adb shell dumpsys
Change-Id: Ibb1a356067863316d70586a61ede9f5973c1ae15

Allows battery counters to be logged in the trace. This
is to allow high fidelity attribution of battery power.

Matching feature CL: aosp/838951

SELinux denials that lead to this:
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=0 duplicate messages suppressed
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { read } for comm="traced_probes" name="u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { open } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { getattr } for comm="traced_probes" path="/dev/__properties__/u:object_r:hwservicemanager_prop:s0" dev="tmpfs" ino=17794 scontext=u:r:traced_probes:s0 tcontext=u:object_r:hwservicemanager_prop:s0 tclass=file permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for comm="traced_probes" scontext=u:r:traced_probes:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { search } for comm="hwservicemanage" name="26854" dev="proc" ino=4959346 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=dir permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { read } for comm="hwservicemanage" name="current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { open } for comm="hwservicemanage" path="/proc/26854/attr/current" dev="proc" ino=4959383 scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=file permissive=1
avc: denied { getattr } for comm="hwservicemanage" scontext=u:r:hwservicemanager:s0 tcontext=u:r:traced_probes:s0 tclass=process permissive=1


Bug: 113076327
Change-Id: I4aabd0d70025105320c4a8d34470098807d56899

Heapprofd needs to read binary files and library in order to support
unwinding the stack. sytem_file does not include all thes files, e.g.
zygote_exec is only labeled as system_file_type.

Denials:

12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:177): avc: denied { read } for name="app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:178): avc: denied { open } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1
12-03 10:50:37.485  9263  9263 I heapprofd: type=1400 audit(0.0:179): avc: denied { getattr } for path="/system/bin/app_process64" dev="dm-0" ino=2286 scontext=u:r:heapprofd:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=1

Change-Id: Ie04b722a78ff6367729930ee0ef96f48ccf6aa55
Bug: 117762471

Currently, when an APEX is staged, apexd moves the file from
/data/app/vmdl*.tmp directory to /data/apex. However, the original file
is labeled with apk_tmp_file and is not readable from apexd.

We plan to resolve this issue by moving the file content via file
descriptor in between the package manager and apexd.

However, until the plan is implemented, temporarily allow apexd to
relabel the file to apex_data_file that is readable to it. This unblocks
the end-to-end test for APEX.

Bug: 112669193
Test: adb install --apex system/apex/apexd/apexd_testdata/test.apex
adb reboot; adb root; adb shell; cmd apexservice getActivePackages
The test APEX is activated

Change-Id: Ib9d4f5c699261f1fa1e6d557731767ee4d7168f9

Never use popen, just execvp directly

Test: Two tests
- Ensure Marlin device boots and vold_prepare_subdirs is called
successfully
- Try adb shell sm set-virtual-disk true, see that eg sgdisk output is
logged.
Bug: 26735063
Bug: 113796163

Change-Id: Icb34140429db85098a0118a2b833772e3620e7ac

This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.

Test: vold is able to create directories, ag/5534962

Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3

This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.

Bug: 117990869

Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09

Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 112362730
Bug: 119853704

Change-Id: Ie84dab48c4f068eb1f6289b5c022525cd06ef7fc