This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

cherry-picked from aosp/658243
Change-Id: I52f3865952004bfc6fe22c488d768276866f8ae1
Merged-In: I52f3865952004bfc6fe22c488d768276866f8ae1

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8)

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e

* changes:
  Test that /proc files have proc_type attribute.
  Assert types labeled in genfs_contexts have correct attributes

Bug: 74182216
Test: build sailfish, walleye, etc policy
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Merged-In: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
(cherry picked from commit 4c80c2ca)

Types in sysfs should have the sysfs_type attribute, types in
debugfs and tracefs should have the debugfs_type attribute.

TODO: Test that files in procfs have the proc_type attribute.
TODO: Assert these tests in CTS.

Bug: 74182216
Test: build - these are build-time tests.
Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf
Merged-In: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf
(cherry picked from commit 1b828444)

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Change-Id: Id7823a3130443107beb4d97426807a6395cf6930
related-to-bug:74607984
test:adb bugreport and check for drm trace dumps

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d
Merged-In: I5d7a029f82505983d21dc722541fb55761a8714d
(cherry picked from commit 0dc35873)

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

(cherry picked from commit c8fe29ff)

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Merged-In: Ie000a00ef56cc603f498d48d89001f566c03b661
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

This reverts commit 942500b9.

Bug: 75287236
Test: boot a device
Merged-In: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
(cherry picked from commit a6d9d6b6)

Bug: 75968642
Test: manual testing to check for sepolicy violation
Cherry-picked from aosp/652222

Change-Id: Idc83669feaf9fd17bed26f89dfce33e3f2f5424f

The netutils_wrapper is a process used by vendor code to update the
iptable rules on devices. When it update the rules for a specific chain.
The iptable module will reload the whole chain with the new rule. So
even the netutils_wrapper do not need to add any rules related to xt_bpf
module, it will still reloading the existing iptables rules about xt_bpf
module and need pass through the selinux check again when the rules are
reloading. So we have to grant it the permission to reuse the pinned
program in fs_bpf when it modifies the corresponding iptables chain so
the vendor module will not crash anymore.

Test: device boot and no more denials from netutils_wrapper
Bug: 72111305
Change-Id: I62bdfd922c8194c61b13e2855839aee3f1e349be
(cherry picked from aosp commit 2623ebcf)

This will test that system/sepolicy/{public/, private/} are identical to
prebuilts if PLATFORM_SEPOLICY_VERSION is not 10000.0.

Bug: 74622750
Test: build policy
Test: correctly catches divergence from prebuilts for frozen policies

Change-Id: I2fa14b672544a021c2d42ad5968dfbac21b72f6a
(cherry picked from commit 81198bb8)

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed

Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1
(cherry picked from commit 886aa54b)

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73

Bug: 73354384
Test: manual
Change-Id: I4fa630624cc247275e11965471461502f451edf4

These denials occur fairly often, causing some logspam.

Bug: 77225170
Test: Boot device.
Change-Id: Icd73a992aee44007d0873743f706758f9a19a112

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0