Bug: 129943426
Test: Build
Change-Id: I3e091652fa8d1757b1f71f7559186d5b32f000d5

installd has been deleting files on the primary (emulated) storage
device for awhile now, but it was lacking the ability to delete files
on secondary (physical) storage devices.

Even though we're always going through an sdcardfs layer, the
kernel checks our access against the label of the real underlying
files.

Instead of tediously listing each possible storage label, using
"sdcard_type" is more descriptive and future-proof as new
filesystems are added.

avc: denied { read open } for path="/mnt/media_rw/1B82-12F6/Android/data/com.android.cts.writeexternalstorageapp" dev="loop9p1" ino=1224 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { write search } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { remove_name } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { unlink } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
avc: denied { rmdir } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1

Bug: 113277754
Test: atest android.appsecurity.cts.StorageHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/pm/
Change-Id: Id79d8f31627c0bfb490b4280c3b0120d0ef699bf

ART generically locks profile files, and this avoids
special casing the ART code for read-only partitions.

An example on how ART does it:
https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731

Bug: 119800099
Test: system server locking a system file, no denial

(cherry picked from commit db3fde05b507a9c425d4a8539292a005d82a81c1)

Change-Id: I5623f5d548dd1226e5788e369333922a27f14021
Merged-In: I4339f19af999d43e07995ddb77478a2384bbe209

bpf programs/maps are now loaded by the bpfloader, not netd

Test: built/installed on crosshatch which uses eBPF - no avc denials

Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0af63e469b0835ba730715a34897f8f)

No longer needed, since this is now done by netd.

In a separate commit so it can potentially not be backported to Q
if we so desire.

Test: build/installed on crosshatch with netd/clatd changes,
  and observed functioning ipv4 on ipv6 only network with no
  avc denials

Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d213008a2e17b145b5c0a90ea747ffd6)

Fix for:
  type=1400 audit(): avc: denied { getopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { setopt } for comm=73657276657220736F636B6574 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { read } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket
  type=1400 audit(): avc: denied { write } for comm="adbd" scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=vsock_socket

Test: now less audit warnings!
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
Merged-In: I3bd1b2262dc6dcb099403d24611db66aac9aecb0
(cherry picked from commit ae68bf23b661232776204bd86fba95bfb986635f)

Fix for:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="socket:[25224]" dev="sockfs" ino=25224 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=0 b/77868789

Test: built and observed no more avc denials on aosp blueline

Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5af4d01e17f2d37335f523a49c7b1f81886edfa2
Merged-In: I5af4d01e17f2d37335f523a49c7b1f81886edfa2
(cherry picked from commit 210cdc6fa46e4600897f0b71331ad20988b281c4)

This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.

This fixes:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0

Test: built and observed no more avc denials on crosshatch

Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223d1f4a26ed6aa3e7895c717e6a90358)

Media component update service is removed, so selinux
permissions for it are no longer needed.

Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95

These denials are intermittent and unnecessary.  Hide them while we
investigate how to properly fix the issue.

Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2

VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.

Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Merged-In: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51

Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
Merged-In: I8ac4c2f98f823120060e51438b39254898f4a27e
(cherry picked from commit 8fa5ebdee71df257ddaf6313b396bf6c721229aa)

This is needed to resolve some race conditions between clatd startup and interface naming/numbering.

This resolves:
  type=1400 audit(): avc: denied { read write } for comm="Binder:820_4" name="tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { open } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { ioctl } for comm="Binder:820_4" path="/dev/tun" dev="tmpfs" ino=20564 ioctlcmd=0x54ca scontext=u:r:netd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file
  type=1400 audit(): avc: denied { create } for comm="Binder:820_4" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tun_socket

Test: built/installed on crosshatch with netd->clatd tunfd passing and observed no selinux denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
Merged-In: Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306
(cherry picked from commit 6450e0038bb5d0b900035a729e84a9ff1a5b0bb3)

Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).

Modify the ppp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).

Addresses the following denials:

04-19 20:25:34.059 16848 16848 I pppd    : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1
04-19 20:25:34.075 16848 16848 I pppd    : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1

Bug: 130852066
Test: compiles
Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc
Merged-In: I00cc07108acaac5f2519ad0093d9db9572e325dc

Bug: 65862741
Test: built, flashed, booted
Change-Id: Ie6a5e7d8bb501fb6144c9fe00756301b90ab5210

psi monitor sched_setscheduler(kworker->task, SCHED_FIFO, &param) was added into pa/1282597

Bug: 131252752
Bug: 129476847
Test: build
Change-Id: I69fdd90e4a39da8d33b417efc7ea7a0da9d9290b

and allow shell and system_app (Settings) to set it to enable Dynamic System Update.
Also allow priv_app (user of the API) to read it.

Bug: 119647479
Bug: 129060539
Test: run the following command on crosshatch-user:
      adb shell setprop persist.sys.fflag.override.settings_dynamic_system 1

Change-Id: I24a5382649c64d36fd05a59bc87faca87e6f0eb8
Merged-In: I24a5382649c64d36fd05a59bc87faca87e6f0eb8

These properties were moved to /vendor as part of b/130025216.
Allow them to be set by vendor_init, too.

Bug: 130025216
Bug: 131066061
Test: no SELinux warnings for said props at boot
Change-Id: I5293831bedb89e9c8d3ddf13cf7babde26872f28
Merged-In: I5293831bedb89e9c8d3ddf13cf7babde26872f28

Bug: 130784724
Test: manual
Change-Id: Ic1903e273f5a136b3e0b14a901a60d8d0a81b211

Bug: 65862741
Test: built, flashed, booted

Merged-In: I346520c47b74fde5137ad7c777f0a9eca50a06d7
(cherry picked from commit 554b334d7be6f90fc55c62936625bb544853168a)

Change-Id: I0a03b88369bd2eca6593d252c4dff3ce7745b6cc

Bug: 131084614
Test: Modify vold_prepare_subdirs to match and test on Crosshatch.
Change-Id: Id5402e6b5da3f1e5549f49f8273dd9f052c348d7

When upgrading a package, PackageParser acts on the temporary
APK file copied from the install location. This is passed to
idmap, which doesn't have read access because it's missing an
SELinux rule.

This is needed to fix a bug with manifest overlaying on updating
an app, a feature kept alive for Q.

Relevant logs when updating a target:
[  550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1
[  550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1

Bug: 130559507

Test: manual adb push /system/product/app/TestApp.apk with
/system/product/overlay/TestOverlay.apk enabling disabled launcher
Activity in TestApp; adb install -r TestApp.apk keeps enabled state
with changes

Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff
(cherry picked from commit 7e7291a763dac0f800144c6bd1dcc7eca8bb026b)

Bug: 131169221
Test: mm
Change-Id: I1004821bd30e2a0586b14178e352e885cabfc002

Bug: 130509605
Test: No avc denial log and NFC works with hal v1.2
Change-Id: If54884f76a32705d11f2085f66fe83b9e0354f79
Merged-In: If54884f76a32705d11f2085f66fe83b9e0354f79
(cherry picked from commit a5dde796b5bc7e372d5cafd2928b9a0aa35dee13)