In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.

           /------- hal_X --------\
           |               **     |
           v                      v
      hal_X_client           hal_X_server
           |                      |
           |                      |
           v                      v
    halclientdomain        halserverdomain

** - hal_X -> hal_X_server is only on non-Treble devices. This
  is because on these devices, certain HALs are allowed to be
  loaded directly into the client process in "passthrough" mode
  as was the case in Android before Android O. This is a legacy
  compatibility mode. On Treble devices, any client can also be
  hal_X just by virtue of a server being able to also be a hal
  client.

There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.

Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)

Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945

Bug: 75287236
Test: Built policy.
Change-Id: I90301c33fd8c20e96cfbb424eaf80978e79c34f0

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91

This should help fix presubmit tests.

Bug: 78456764
Test: Built policy.
Change-Id: I7ec5afa83417770731d309d5a57b8a94afa24453

This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e

avc: denied { search } for name="/" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:fs_bpf:s0 tclass=dir permissive=0

Bug: 72749888
Test: Boot without seeing the denial.
Change-Id: Iaf3559928473c68066e6a42ba71655a683861901

Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a28440)

Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af

Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b)

The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db
Merged-In: If0985d3ddd7d14c2b139be1c842c9c8df99b90db

This reverts commit 12e73685.

Reason for revert: Rolling original change forward again, more carefully.

Change-Id: I266b181915c829d743c6d8d0b8c0d70b6bf3d620

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc

Bug: 74114758
Test: Checked radio-service and sap-service is on the lshal after running the service
Change-Id: I1b18711286e000a7d17664e7d3a2045aeeb8c285
Merged-In: I1b18711286e000a7d17664e7d3a2045aeeb8c285
(cherry picked from commit 64839e87)

This adds numerous bug_map entries to try to annotate all denials
we've seen.

Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49

dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee

avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
(cherry picked from commit 2ccd99a5)

Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Tombstoned unlinks "trace_XX" files if there are too many of them.

avc: denied { unlink } for comm="tombstoned" name="trace_12"
scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0
tclass=file

Bug: 77970585
Test: Build/boot taimen. adb root; sigquit an app.
Change-Id: I2c7cf81a837d82c4960c4c666b38cd910885d78d

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1