In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046

apns downloaded will enter a new directory that
TelephonyProvider can access.

Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55

Bug: n/a
Test: audioserver is sucessfully able to acquire a wake lock
Change-Id: Ic3d3692eba2c1641ba3c9d8dc5f000f89105d752

Change-Id: Id7823a3130443107beb4d97426807a6395cf6930
related-to-bug:74607984
Test: adb bugreport and check for drm trace dumps
(cherry picked from commit 4f2739bd)

Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf
(cherry picked from commit ec0160a8)

"storaged" service will be used by external clients, e.g. vold, dumpsys
"storaged_pri" service will only be used by storaged cmdline.

Bug: 63740245
Change-Id: I7a60eb4ce321aced9589bbb8474d2d9e75ab7042
(cherry picked from commit 37ab7c09)

This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.

Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574

Bug: 70637118
Test: m && emulator ; also verified
Change-Id: I39dd17d20acc8d380f36e207679b8b1eba63a72e
Merged-In: I39dd17d20acc8d380f36e207679b8b1eba63a72e
(cherry picked from commit 368ae61f)

Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
    dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
    dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04
(cherry picked from commit 60d17674)

Changes 2d626fd84ea0246c963ce2c87ae62461a60f8826 and
869562e9 are the same
commit, but with a different comment. Fix them up to be
the same.

Test: build
Change-Id: I6311413357f457d6ba95886b729ffa53ab80e016

shipping API version:

For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa7)

For automotive (and I assume for other verticals) it make sense to keep
vertical-specific policies outside of /system/sepolicy as those not used
by the phones. However, there's no way to do it rather than using
BOARD_PLAT_{PUBLIC|PRIVATE}_SEPOLICY_DIR build variables.

Bug: 70637118
Test: lunch device && m
Test: verify it builds, boots and logs seems to be reasonable
Test: enable full treble for aosp_car_x86 - verify it builds, boots and
no denials in the logs

Change-Id: Ia5fd847f7a6152ff6cf99bbbc12e1e322f7946ab
(cherry picked from commit 34f23364)

Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Merged-In: I27976443dad4fc5b7425c089512cac65bb54d6d9

(cherry picked from commit 4cafae77)

Change-Id: I58e25a0f86579073aa568379b10b6599212134c6

to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3

for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html



Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.

Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit

Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file.  The rules above it still prevent it
from doing anything other than relabelto and getattr.

Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
(cherry picked from commit 597be44e)

hwservicemanager lost the permission to tell init to
start the dumpstate HAL when dumpstate was given this
permission exclusively.

Bug: 77489941 # problem introduced
Bug: 78509314 # converting dumpstate to lazy hals

Test: convert an instance of dumpstate into a lazy HAL,
    run bugreport, see denial, then add permission, and
    see bugreport start to work again.

Change-Id: I033701d8306200bebc0f250afe3d08f9e6ab98a1
(cherry picked from commit 0b1797b8)
Merged-In: I033701d8306200bebc0f250afe3d08f9e6ab98a1

Mtp needs access to this path in order to
change files on an sdcard.

Fixes denial:

05-14 17:40:58.803  3004  3004 W MtpServer: type=1400 audit(0.0:46):
avc: denied { search } for name="media_rw" dev="tmpfs" ino=10113
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
b/77925342 app=com.android.providers.media

Bug: 77849654
Test: no denials using mtp with emulated sdcard
Change-Id: I27b5294fa211bb1eff6d011638b5fdc90334bc80

Let statsd find the service. The system server wants to read file
attributes for the perfprofd dropbox file.

Bug: 73175642
Test: m
Test: manual
Change-Id: I0c0b1dac057af90fff440286226093ec15b5e247

Introduce a standalone live-lock daemon (llkd), to catch kernel
or native user space deadlocks and take mitigating actions.

Test: llkd_unit_test
Bug: 33808187
Bug: 72838192
Change-Id: If869ecd06e5ce7b04bba1dafd0a77971b71aa517

The goal is to allow creating profile snapshots from the shell command in
order to be able to write CTS tests.

The system server will dump profiles for debuggable in /data/misc/profman
from where they will be pulled and verified by CTS tests.

Test: adb shell cmd package snapshot-profile com.android.vending
Bug: 74081010

(cherry picked from commit 687d5e46)

Merged-In: I54690305284b92c0e759538303cb98c93ce92dd5
Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5

Part of an effort to remove Treble-specifics from the way be build
sepolicy.

Bug: 70851112
Test: build and boot bullhead.
Change-Id: I236f031e1b017875fb1afcc4f1b201699139516a

Bug: 79228237
Test: audit2allow finds no relevant denials on boot
Merged-In: Ia80b77ba9a1ec2354127cd0ef68d50ebcf593fb0
Change-Id: Ia80b77ba9a1ec2354127cd0ef68d50ebcf593fb0