am: a64b6850

Change-Id: I7724ba18bd6d8d6ae7d4f87986de9200cb5bc761

When clearing cache, installd should be able to search for and delete
files in /data/preloads/file_cache

Test: Manually trigger installd freeCache
Bug: 31008665
Change-Id: I4c345cc8b0f7a6a8702a55f4720d21283c9d502a

am: 38dc1e22

Change-Id: If47397bdc5dc7e488b6e6e1dcac059a6e6389f29

am: 2e934f7f

Change-Id: I15baf398a01b12873be7da5623c2a9cbf9908fb0

This switches Keymaster HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Keymaster HAL.

Domains which are clients of Keymaster HAL, such as keystore and vold
domains, are granted rules targeting hal_keymaster only when the
Keymaster HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_keymaster are not granted to client domains.

Domains which offer a binderized implementation of Keymaster HAL, such
as hal_keymaster_default domain, are always granted rules targeting
hal_keymaster.

Test: Password-protected sailfish boots up and lock screen unlocks --
      this exercises vold -> Keymaster HAL interaction
Test: All Android Keystore CTS tests pass -- this exercises keystore ->
      Keymaster HAL interaction:
      make cts cts-tradefed
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsKeystoreTestCases
Bug: 34170079

Change-Id: I2254d0fdee72145721654d6c9e6e8d3331920ec7

am: 0aca0241

Change-Id: Ieceee81236f8fa5d7d2bb328274b7e91c11fbae1

am: 5a2de627

Change-Id: I960ee43281da8c8c6b0ec68bbea2ac53f43ab457

This switches Wi-Fi HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Wi-Fi HAL.

Domains which are clients of Wi-Fi HAL, such as system_server domain,
are granted rules targeting hal_wifi only when the Wi-Fi HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_wifi are
not granted to client domains.

Domains which offer a binderized implementation of Wi-Fi HAL, such as
hal_wifi_default domain, are always granted rules targeting hal_wifi.

Test: Setup Wizard (incl. adding a Google Account) completes fine with
      Wi-Fi connectivity only
Test: Toggle Wi-Fi off, on, off, on
Test: Use System UI to see list of WLANs and connect to one which does
      not require a password, and to one which requries a PSK
Test: ip6.me loads fine in Chrome over Wi-Fi
Bug: 34170079

Change-Id: I7a216a06727c88b7f2c23d529f67307e83bed17f

am: 20b8d6b9

Change-Id: I8d3fe3a79791560669be031c790cd3862fb8782b

Bug: 35657600
Test: user build of Marlin starts with BT
Change-Id: Ic2380da66467b9b1c385da7d7fa10fddf4c7fae1

am: 706bb202

Change-Id: I0f2169981c80769e85c686f637135097e2d74f56

The 'overlay' service is the Overlay Manager Service, which tracks
packages and their Runtime Resource Overlay overlay packages.

Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178
Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com>
Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com>
Bug: 31052947
Test: boot the Android framework

am: 2f348392

Change-Id: Ia375e92fac568547c44adc42090843ad9ba7eb9f

This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.

Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.

Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.

Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079
Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27

Bug: 35632346
Test: build and boot aosp_marlin
Change-Id: Ia2d019b0160e9b512f3e3a70ded70504fe4fea0c

am: d68aae65

Change-Id: Ib57282ba98e07b330df27ae203f51ce17568088b

am: 313dfe7d

Change-Id: Id3134f3157f29b3e878cde82ed33cac35f162c87

In the master external/ipsec-tools/{main.c, racoon.rc},
racoon doesn't call setuid, and doesn't have the setuid capability.

Bug: 35642293
Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>

am: 1c4014ab

Change-Id: I2a36fd9265032e343e92adf022705121bba287f4

am: 0b1e965f

Change-Id: I666c3e5d216d9b3b1110d72467ed855fd78b2afb

This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1

The preview surface will run in app process and hal_camera will
need to wait on FD generated by preview surface.

Test: the denial is gone, able to take photo in
      messenger/hangout/drive application.
Bug: 35589980
Bug: 35485227
Change-Id: I1977174369b104617156065ff25203a17265b707

am: 205ec044

Change-Id: Ia8ffaa7a7d2f92cdd9d298de92154660462e5dcf

untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2

This removes the compile-time deprecation warning about
hal_impl_domain macro. The warning was introduced in
86e87806f5777a7fc09ea962e694442297e4f8d6. We don't want to spam all
Android platform developers about something internal to the ongoing
SELinux policy restructuring.

Test: Policy compiles without any warnings
Test: Google Play Movies plays back movies (i.e., DRM HAL works)
Bug: 34170079
Change-Id: Icbd4d1283196f7ccc84c2a041c5601113d3c9f21

am: 6b28742a

Change-Id: I87902101dac4b3468b929c6020f318afe21702d5

am: c1f8e9a0

Change-Id: I8b763f78a29561bddf6d80e3a59e39943a6340d3

For early mount we end up creating the device nodes for partitions
under /dev/block before selinux is initialized. Which means, that
restorecon_recursive on /dev/block will have to relabel these nodes
and their symlinks.

This change adds the rule to allow init do the same.

b/27805372

Test: boot marlin / sailfish with early mount device node creation
but mount partitions using the default 'mountall' without any selinux
denials.

Change-Id: Ib9335f3f961d485d2120a175dbdbf85d6f70b160
Signed-off-by: Sandeep Patil <sspatil@google.com>