BUG: 117424656
BUG: 111185513
Test: run vts -m VtsHalPowerStatsV1_0Target

Change-Id: Icb0790219df4189c0dabbe41221e69e56d000755

Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4

This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.

Bug: 117762471
Bug: 117761873

Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4

same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813

We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.

Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0

Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832

Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e

The auditallow added in 7a4af30b has not triggered. This is safe to
remove.

Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25e.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a

Add ians service contexts

Bug: 113106744
Test: verified from service list that ianas is
      registered
Change-Id: Iea653416ffa45cba07a544826e0a2395d31cedca
Merged-In: Iea653416ffa45cba07a544826e0a2395d31cedca

This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.

Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67

Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2

This reverts commit 9899568f.

Reason for revert: Reports of high numbers of SELinux denials
showing up on the SELinux dashboard.

Bug: 110043362
Change-Id: Id8fc260c47ffd269ac2f15ff7dab668c959e3ab0

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
Change-Id: I9e441b26792f1edb1663c660bcff422ec7a6332b

Bug: 117440207
Bug: 111890351
Test: manual
Change-Id: Ie218dec3e4f0f5dbade6d1c4d28b259909664056

This daemon is very locked down. Only system_server can access it.

Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f

We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.

Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc

Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143

A default set of options are available, but can override in a fstab
overlay entry with upperdir=, lowerdir= to the same mount point,
workdir=.  The default is a valid /mnt/scratch/overlay/
or /cache/overlay/ directory, with .../<mount_point>/upper and
.../<mount_point>/work, associated with each system partition
<mount_point>.

Test: manual
Bug: 109821005
Change-Id: I5662c01fad17d105665be065f6dcd7c3fdc40d95

Bug: 111215474
Test: boots
Change-Id: Ib8cabeb64a8b4ec9f592d870bd0af611a2720cc7

apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97

Isolated apps provide a very strict security guarantee, including the
inability to create networking sockets like TCP / UDP sockets. Add an
SELinux neverallow assertion to test for this and prevent regressions.

Test: policy compiles.
Change-Id: I2618abb17375707eb1048e89faa46f57d33e1df4

New maintenance scheme for mapping files:
Say, V is the current SELinux platform version, then at any point in time we
only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1)
and bottom (V-n+1->V-n) without changes to previously maintained mapping files.

Caveats:
- 26.0.cil doesn't technically represent 27.0->26.0 map, but rather
current->26.0. We'll fully migrate to the scheme with future releases.

Bug: 67510052
Test: adding new public type only requires changing the latest compat map
Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8

Rename ANAS to ANS

Bug: 117156243
Test: Verified using developer options
Change-Id: Ied208d94183a1ad493213841570ae5cd5b9c3fa8

Test: m selinux_policy
Change-Id: I6a8ff2200c82b6ecdc1404bc7cf186f439950a30

Map proc_qtaguid_ctrl to qtaguid_proc, not qtaguid_device.
Map proc_slabinfo to proc in the correct place.

Test: m selinux_policy
Change-Id: I37c9dfe40bd20924215856b5d4ff7d9b3cbd0417

Remove these files from proc_net_type. Domains that need access must
have permission explicitly granted. Neverallow app access except the
shell domain.

Bug: 114475727
Test: atest CtsLibcoreOjTestCases
Test: netstat, lsof
Test: adb bugreport
Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0

Bug: 116732452
Test: No sepolicy violations observed with this change
(cherry picked from commit I1958182dd8ecc496625da2a2a834f71f5d43e7bb)

Change-Id: Ib386767d8acfacf9fedafd9a79dd555ce233f41c

Bug: 111890351
Test: manual
Change-Id: I37d632c9877c6d6f929937d8e25098763807630c

This change is for testing potential app-compat issues when removing
access to file in /proc/net. See: b/114475727#comment11.

Bug: 114475727
Test: build/boot taimen.
Test: atest CtsLibcoreOjTestCases
Test: FileSystemPermissionTest
Test: ListeningPortsTest b/114772424
Change-Id: I1db1c2b41308e47c9ec9db57ea8597a650c8906d
(cherry picked from commit 6784f80b)

In the next Android release, there will be devices that have no
xt_qtaguid module at all and framework and netd will decide which code
path it takes for trafficStats depending on the device setup. So all
apps and services should not depend on this device specific
implementation anymore and use public API for the data they need.

Bug: 114475331
Bug: 79938294
Test: QtaguidPermissionTest

Change-Id: I0d37b2df23782eefa2e8977c6cdbf9210db3e0d2

Bug: 111098596
Test: atrace/systrace

(cherry picked from commit 9ed5cf6e)

Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0

Bug: 116732452
Test: no sepolicy violations observed with this change
Change-Id: I1958182dd8ecc496625da2a2a834f71f5d43e7bb

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879

Historically most uses of atrace happen via the shell domain.

There are two exceptions:
- boot tracing
- traced_probes

We need to get feature parity, so atrace has the same behavior
when is invoked either via shell or from its own domain (e.g.
via traced_probes that has an auto_trans rule into atrace on exec).
Atrace works by setting system properties to enable tracing from userspace
then poking all the binder services to read the system properties (see [1]) so
enabling the system_server category requires the ability to call binder
methods on the system_server.

For more use cases see b/113127224

[1]: https://android.googlesource.com/platform/frameworks/native/+/9ead54bed65d486fe435793cbe98ed8b4786f7be/cmds/atrace/atrace.cpp#545

Bug: 113127224
Test: Add an atrace category to the Perfetto config and confirm the data
shows up.

Cherry-picked from aosp/747608

Change-Id: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a
Merged-In: Id077eff960ffb1cdd7b0ce84b21ac9ef70444a4a

Bug: 111098596
Test: atrace/systrace
Change-Id: I06ca76750d640c98849c475c8a237d62c8e582b9

Fixes:
avc: denied { read } for comm="init" name="linker_asan64" dev="sda22" ino=1833
scontext=u:r:init:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=lnk_file
permissive=0

Bug: 116486312
Test: adb unroot && adb shell ls -l /system/bin/linker_asan
Change-Id: I754daaf3576e83d516cc9189b8be04dcc41bbc5c

Create a new service type buffer_hub_binder_service for
BufferHubBinderService and allow bufferhubd to publish the service.

Add the service to 26.0, 27.0 and 28.0 compat ignore files since the
service is not available in past versions.

Fixes: 116022258
Test: build passed

Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3

This adds /proc/uid_io/stats to the files that system server is able to
read.

Test: Manual test on master produces no selinux violations.
Change-Id: I2c7afec149f893b000094739d91531dec559de6f