am: 1740ddb5

Change-Id: Ic0315c8b659fc226c75f67a3910c2b3efabc1a92

am: ba6cd7b1

Change-Id: I8bbf4dcff1f60df976da404500c9ccf377ea7d65

Merge "Improve neverallow error messages and allow disabling them on userdebug builds." am: 0432e19f
am: 1128a4e5

Change-Id: Id368d7cb6cdbd9a6169b8e10472e82f887bf6788

am: 8fe0a12f

Change-Id: Ic601afe6feddf4c083a004e739d122f78633d0b0

am: 0432e19f

Change-Id: I3714ae2b44086bfaddb89819039b6c8cc575e536

am: 00ab5d86

Change-Id: Ia2db656580086c542a2dd96cbd725686063bcb26

Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6

We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c

am: 0003e3d5

Change-Id: I9b40bf692885a09c7303ae22ba765a0098660e18

am: ee268643

Change-Id: I69408d68b23c241e396e303f7b68f34c4f6fb832

This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

This patch adds a flag that can be used to ignore neverallow rules.
By adding
SELINUX_IGNORE_NEVERALLOWS := true
into the BoardConfig.mk file, neverallow violations will be ignored
silently.  This flag can only be enabled on userdebug and eng builds.

Users of this flag should be very careful.  Since it does not work on
user builds, it must be disabled to pass CTS, and enabling it for
too long could hide issues that need to be addressed.

As a happy side effect, this patch should also improve the error
messages when violating a neverallow rules.  Specifically, the file
and line number should be correct.

Bug: 70950899
Bug: 33960443
Test: Built walleye-{user,eng} with and without this new option and
a neverallow violation.  Built policy for all targets.

Change-Id: Id0d65123cdd230d6b90faa6bb460d544054bb906

am: 9cb71cc9

Change-Id: Ia2337645bebf20575a391d6abd2b5b70659f1787

am: 1d2c3f44

Change-Id: Ic874243cb997d588df01d5099d3c25f14ffd2119

am: 145d2d11

Change-Id: I52cd2febe6aaac3a9c65e94f1ee4d0d56513b4d1

am: 193b1ab3

Change-Id: Iee7632fde0be5301347d6f7e41d3b81c5de37c85

Bug: 71861796
Test: no more denials on walleye for shell init scripts
Change-Id: I51eab267c95a915f927b0aaa7db9d678a83093c7

am: 02dbf4e0

Change-Id: I4977f4c114c304d8a84c081f963644c3b3e4019d

am: 43303c8b

Change-Id: I5e085251c1ccfd8206e421c9b0276a2add385171

Bug: 38206971
Test: test on phone
Change-Id: Id34ab2673c7a16744fba77eb5c176e2e8b474299
Merged-In: Id34ab2673c7a16744fba77eb5c176e2e8b474299

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

am: 42f8d7b2

Change-Id: I76914b2339e3e1e53601ab2156a2fad6e70a6b46

am: 70d2bb43

Change-Id: I431de9cf6745203ef5c34b5c9e807df6bbac59f5

am: 5f6aa039

Change-Id: I04ed395355e2f5244750585d26e5b4762a0c0a31

am: f9e7b002

Change-Id: I5749ef12d05909741209e012febdbb3a903932c9

Update statsd sepolicies to avoid selinux violations during cts tests and pulling metrics am: e27af27f
am: 955e543a

Change-Id: I8a9c4563ac6fc09e280e41c0bcef1d480f61e481

am: 73b9d8d8

Change-Id: Iaa17a95b76afdca7b7851728228b74b0d98a36fe

am: be7b1b4f

Change-Id: I58c660f564a39e2d60389d922a03966a9160e102

am: e27af27f

Change-Id: I40b4e204ec7d58c7d6971cf7e5e502e10011737a

* changes:
  vold_prepare_subdirs: grant chown
  statsd: annotate boot denials

Test: none
Change-Id: I42f2c2a09235d907b020c4924b91a3428f6c9d8e

Addresses:
avc: denied { chown } for comm="vold_prepare_su" capability=0
scontext=u:r:vold_prepare_subdirs:s0
tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability

Bug: 71796118
Test: build
Change-Id: I64b2f1ad8d6e0748c5820b8a37a4fc4f4101d1fb

Point logspam to its owner.

Bug: 71537285
Test: build
Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e