Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d)

commit 9b2e0cbe added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns.  Apply the new macro to various self:capability
references that have cropped up since then.

Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609

Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea

Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.

Bug: 112431447
Test: m
Change-Id: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c
Merged-In: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c

mediaserver is receiving a file passed as a file descriptor. Just read
and map is enough, and open should not be allowed for mediaserver.

Bug: 78436043

avc: denied { getattr } for comm="Binder:1231_1" path="/storage/emulated" dev="tmpfs" ino=72787 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_stub_file:s0 tclass=dir

Bug: 112609936
Test: Built policy.
Change-Id: Ib772aca11bad4ba267de259be4ad065f228ef1df

Error out if m4 generates a warning. This will help detect and prevent
malformed macros.

See 85508496 for motivation.

Test: policy compiles
Test: Policy doesn't compile if 85508496
      is reverted.

Change-Id: Iee6b6273bc2a24b1220861fd662573e76001defc

Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790

This reverts commit 0fd3ed3b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0

Forgotten cleanup item.

Bug: 35870313
Test: making sepolicy (neverallows resolved at compile time)
Change-Id: If9a583c4508db63356869502ec374727afa84b0b

Quotes and backticks are sensitive characters and should never show up
in a comment. Fix comment to avoid the use of a single quote. Also fixes
a bug where certain rules were not getting included in the compiled
policy.

Fixes the following build warnings:

[  3% 3564/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3578/114975] build out/target/product/taimen/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3579/114975] build out/target/product/taimen/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3607/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[  3% 3677/114975] build out/target/product/taimen/obj/ETC/built_plat_sepolicy_intermediates/base_plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored

Test: policy compiles and no warnings.
Change-Id: Ie32d8b536955b40888b79e3a93851d2ae297f8ee

Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4

Replace more complicated logic that determines that persistent
properties are now valid with a simple check of
ro.persistent_properties.ready.

Test: manual
Bug: 109821005
Change-Id: I8c63beb294377ea9ce6eb6336b83f529deedd830

Bug: 78888165
Test: device can boot with HAL running.
Change-Id: I3bf7c8203e038b892176c97ec006152a2904c7be

There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Restore the old labeling until we are able to fix the underlying
problem.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

This reverts commit 4df57822.

Bug: 112357170
Test: policy compiles
Change-Id: I38ba75c92c9c46e6a1fdbc02e3dc80c63adccaa8

There is a problem with on-disk labeling of files created by secondary
dex background compilation which is causing unexpected denials to show
up. Drop the auditallow rule to avoid logspam.

Steps to reproduce:
  1) boot android device.
  2) adb root
  3) Run cmd package compile -r bg-dexopt --secondary-dex com.google.android.gms
  4) Examine the files in /data/user_de/0/com.google.android.gms
Expected:
  All files have the label privapp_data_file
Actual:
  The files in /data/user_de/0/com.google.android.gms/app_chimera/m
  are labeled "app_data_file", not "privapp_data_file".

Addresses the following audit logspam:
  type=1400 audit(0.0:117): avc: granted { execute } for comm=4173796E635461736B202331 path="/data/user_de/0/com.google.android.gms/app_chimera/m/00000002/oat/arm/DynamiteLoader.odex" dev="dm-0" ino=5775 scontext=u:r:untrusted_app:s0:c111,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.android.chrome

Additionally, this removes auditallow statements for older untrusted
apps. Lots of big apps are executing files from their home directory.
Additional restrictions in this area will need to be tied to API
versions.

Addresses the following audit logspam:
  type=1400 audit(0.0:619): avc: granted { execute } for comm="na:notification" path="/data/data/com.facebook.katana/lib-xzs/libbreakpad.so" dev="dm-3" ino=28333 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.katana
  type=1400 audit(0.0:129): avc: granted { execute } for comm="ticlock" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1239): avc: granted { execute } for comm="Analytics-Norma" path="/data/data/com.facebook.orca/lib-xzs/libchipsetmerged.so" dev="dm-3" ino=50243 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.facebook.orca
  type=1400 audit(0.0:58): avc: granted { execute_no_trans } for comm="sh" path="/data/data/is.shortcut/files/ticlock/ticlock" dev="dm-3" ino=58614 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=is.shortcut
  type=1400 audit(0.0:1948): avc: granted { execute_no_trans } for comm="sh" path="/data/data/com.mxdata.tube.Market/files/osmcore" dev="sda13" ino=2752651 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.mxdata.tube.Market
  type=1400 audit(0.0:2875): avc: granted { execute_no_trans } for comm="ThreadPoolManag" path="/data/data/com.amazon.kindle/files/hardwareTest" dev="sda13" ino=1935346 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file app=com.amazon.kindle

This reverts commit 4738b93d.

Bug: 112357170
Test: policy compiles

The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

  type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
  type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
  type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1

Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e

This rule prevents adding further fwk->vendor access.
Left a TODO to clean up already existing access.

Bug: 37168747
Test: build sailfish, walleye policies
Change-Id: I5e61d0b94b81df228628dba5746e084f291a7904

Bug: 111655771
Test: builds
Change-Id: I67850d910770109005b2243c628282ad638c88fb

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations.  Add this
permission to system_server for data file access,
which is used in scenario such as "adb install" of
APK's.

test: no longer see SELinux map denial on "adb install"
Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed

Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Test: builds
Test: vts
Bug: 111655771
Change-Id: Iabad3d124bf476cb624addf7d7898e0c2894d550

This is needed to dump ANR traces for the process.

Bug: 111604912
Test: adb shell am hang
Change-Id: Icadc2de95a12818fe623271d1afb955843ccddbf

Certain pm.* properties, which are especially needed for
Go-targets, are not listed in property_contexts.
Init will not be able to set these properties on bootup
without the correct selinux contexts assigned to the
properties.

BUG: 111738816

Test: In selinux-enforcing mode, on bootup, these
      properties are now correctly set by init.

Change-Id: I6ea0fb229c93725e2987b1e021d5804a132d093d

Test: n/a
Change-Id: I929772fa36da6b96494d14cfa48b47dcc76cccd4

/cache/overlay directory in support of overlayfs mounts on userdebug
and eng devices.  Overlayfs in turn can be capable of supporting
adb remount for read-only or restricted-storage filesystems like
squashfs or right-sized (zero free space) system partitions
respectively.

Test: compile
Bug: 109821005
Bug: 110985612
Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1