Addresses the following denial:

type=1400 audit(0.0:51894): avc: denied { ioctl } for comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=30291 ioctlcmd=0x6782 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0 app=com.android.providers.media

Test: policy compiles.
Change-Id: I5290abb2848e5824669dae4cea829d4cbea98ab4

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35

Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: Ifaf9547993eb8c701fb63b7ee41971ea4e3f7cf9

Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").

However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important

Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific
files for which we need to ensure that every access is revalidated,
particularly useful for scenarios where we expect the file to be
relabeled at runtime in order to reflect state changes (e.g.
cross-domain solution, assured pipeline without data copying).

system/sepolicy commit 4397f082 added
the map permission to common file macros, to ensure that file access
would continue working even in the presence of a newer kernel. However,
that change did not affect socket access.

Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
mmap operations. This change adds the map permission to rw_socket_perms,
to ensure continued support for newer kernels.

This technically allows mmap even in cases where the socket family
doesn't support it (such as TCP and UDP sockets), but granting it
is harmless in those cases.

In particular, this fixes a bug in clatd, where the following error
would occur:

  10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
  10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
  10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
  10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied

Test: policy compiles
Bug: 117791876
Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b

Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.

Bug: 111407413
Bug: 117290290

Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4

Bug: 111243627
Test: m selinux_policy
Change-Id: I0bab79d1a3b7a8b5bf5d12ba2dc5ce46abea5332

This reverts commit 7a560eb4.

Reason for revert: build bustage

Change-Id: Iba0ba7a899dca865129a9c715c5f60f8a6edcc2f

Policy w.r.t to apps:
- cgroup access from untrusted apps and priv app is neverallow'ed.
- other apps (e.g. vendor apps) need to explicitly declare appropriate
access rules to cgroups.

Policy w.r.t native domains:
- libcutils exports API to /dev/{cpuset, stune}/*. This API is used
abundantly in native vendor code. So we are not going to limit non-app
access to cgroup.

Bug: 110043362
Bug: 117666318
Test: m selinux_policy, boot device
Change-Id: I83aee21ca3e8941725c70706769ea9dbdc76b9c5

This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.

Bug: 117762471
Bug: 117761873

Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4

This is needed to find the file on the raw block device, so it can be
securely deleted.

Addresses the following denials:

  type=1400 audit(0.0:492): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/10/current/encrypted_key" dev="dm-3" ino=9984 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:517): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/11/current/secdiscardable" dev="dm-3" ino=9581 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:694): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/0/current/keymaster_key_blob" dev="dm-3" ino=9903 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Change-Id: I1adf21b7fa92b1f92ce76532f4d9337a4d58a2e5

Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: I7545b190f35b6b2c86c5dc42c0814f7bccbf1281

same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.

Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813

The shell script interpreter checks if file descriptors are ttys, which
causes a bunch of denials. Allow the benign ioctl TCGETS. Addresses the
following denials:

  type=1400 audit(0.0:321): avc: denied { ioctl } for comm="sh"
  path="/data/misc/perfprofd/perferr.txt" dev="sda13" ino=6817306
  ioctlcmd=5401 scontext=u:r:perfprofd:s0
  tcontext=u:object_r:perfprofd_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3189): avc: denied { ioctl } for comm="ps"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:3004): avc: denied { ioctl } for comm="top"
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-XXXXXXXXX-MASTER-2018-10-11-16-52-40.tmp"
  dev="dm-2" ino=25546 ioctlcmd=0x5401 scontext=u:r:dumpstate:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Include the virtual sdcard when allowing F2FS specific sqlite ioctls,
since apps write sqlite files to the virtual sdcard. Addresses the
following denials:

  type=1400 audit(0.0:324): avc: denied { ioctl } for comm="amapLocManagerT"
  path="/storage/emulated/0/amap/openamaplocationsdk/alsn20170807.db"
  dev="sdcardfs" ino=3546650 ioctlcmd=f50c
  scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0
  tclass=file permissive=0 app=com.xiaomi.hm.health

Test: policy compiles.
Change-Id: I7fc570f2bbf69485b1ee6e6b2d9a421639d29123

We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.

Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0

Test: fastboot flashall
Bug: 78793464
Change-Id: I8e1e982e3a9e356738944df5bfa1e802794a6a25

By convention, auditallow statements are typically put into
userdebug_or_eng blocks, to ensure we don't accidentally ship
unnecessary audit rules. Let's do the same here.

Test: policy compiles.
Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e

installd calls fsverity ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_SET_VERITY_MEASUREMENT on APKs in /data/app. Allow it.

Addresses the following denials:

  type=1400 audit(0.0:13): avc: denied { ioctl } for comm="Binder:912_1"
  path="/data/app/com.android.vending-QZXfga9NZzHdv31lJzPTdQ==/base.apk"
  dev="dm-3" ino=43887 ioctlcmd=0x6686 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

  type=1400 audit(0.0:40): avc: denied { ioctl } for comm="Binder:876_1"
  path="/data/app/com.android.settings-0xUwDcuYseP40L3WMUTGIw==/base.apk"
  dev="dm-0" ino=6855 ioctlcmd=0x6685 scontext=u:r:installd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Bug: 30972906
Change-Id: Ifc88ae6909971c2f2bb24479f5e748fc7900447d

Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832

Set up a new service for sw media codec services.

Bug: 111407413

Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e

The auditallow added in 7a4af30b has not triggered. This is safe to
remove.

Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8

apex_service is already in the list of services dumpstate cannot find;
this ensures that the dontaudit list is the same.  We hide the denial
caused by df reading one of its directories.

dumpstate can already call all binder services, so we enable it to
call bufferhubd.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25e.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a

Add ians service contexts

Bug: 113106744
Test: verified from service list that ianas is
      registered
Change-Id: Iea653416ffa45cba07a544826e0a2395d31cedca
Merged-In: Iea653416ffa45cba07a544826e0a2395d31cedca

This patch gives global access to asan libraries. This is not ideal since the
labeling is not symmetric with standard locations, but this approach is easy to
maintain.

Fixes: 117555408
Test: processes on asan builds load /data/asan/* libs correctly
Change-Id: If54558c1808d8b16e06073c150c9f3eb358dda67

ebc3a1a3 enabled ioctl filtering on
normal files and directories. However, no per-ioctl permissions were
enforced for symbolic links, named pipes ("mkfifo"), or
named sockets.

Start enforcing fine-grain ioctl restrictions for symbolic links, named
pipes, and named sockets.

Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from
being usable on nonsensical filesystem objects and provide a layer of
defense for kernel bugs.

Test: Device boots and no obvious problem.
Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc

They are unneeded.

Test: device boots and no obvious problems.
Change-Id: Ib788a89645c893c8c36acbe7fb34ce93bf6a57d7