Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Bluetooth needs the capability to set audio-related threads to be RT
scheduled.  Grant it sys_nice.

system_server needs to set priority for the Bluetooth HAL.  Allow it.

Bug 37518404
Test:  Play Bluetooth audio, confirm RT scheduling with systrace
Merged-In: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f

(cherry picked from commit 6eee6eb2)

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd

This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

Bug: 37152880
Bug: 37554633
Test: adb shell am hang --allow-restart
Test: adb shell dumpstate
Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295

Bug: 37541374
Test: Build and boot sailfish

Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc
Signed-off-by: Sandeep Patil <sspatil@google.com>

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31

Fixes: 37536706
Test: Ensure no boot-time error and companion functionality works
Change-Id: I80ced92cb62aa10e1847980eb9a169af3bcd21f0

Bug: 37504387
Test: aaudio example write_sine, needs MMAP support
Change-Id: I7fbd87ad4803e8edbde4ba79220cb5c0bd6e85a0
Signed-off-by: Phil Burk <philburk@google.com>

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd
(cherry picked from commit a61f7f60)

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd

vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371

This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a

The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829

Bug: 36463595
Test: Boot sailfish, make wifi call, internet over data and wifi

Change-Id: I81259b6412d7197725afe2fe4976aa0a03b8df6e
Signed-off-by: Sandeep Patil <sspatil@google.com>

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8

Bug: 36463595
Test: Boot sailfish and make sure all vendor services that are shell scripts
      work. (Checke exited status)

Change-Id: I3d1d564114a914dec8179fb93a9e94493c2808da
Signed-off-by: Sandeep Patil <sspatil@google.com>

The vendor toybox MUST always be executed without transition and
non-vendor processes are not allowed to execute the binary.

Bug: 36463595
Test: Boot and test if system shell can run /vendor/bin/echo
      Result: requires 'su'

Change-Id: Ifb9aa61f247f91fb870b99d60ac7f849ee9c6adc
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c112cd18e8999c0242a2560219033231a0e19898)

Bug: 36463595
Test: sailfish boots without new denials

Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)

This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64

hwservicemanager can check hwservice_contexts files
both from the framework and vendor partitions.

Initially, have a wildcard '*' in hwservice_contexts
that maps to a label that can be added/found from
domain. This needs to be removed when the proper policy
is in place.

Also, grant su/shell access to hwservicemanager list
operations, so tools like 'lshal' continue to work.

Bug: 34454312
Test: Marlin boots
Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc

Test: trigger dumpsys storaged from GMScore
Bug: 37284569
Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176

All HALs which are represented by hal_* attributes in SELinux policy
are required to run in binderized mode on Treble devices. This commit
thus makes the SELinux policy for Treble devices no longer associate
domains in hal_x_client with hal_x attribute, which is what was
granting domains hosting clients of hal_x the rules needed to run this
HAL in-process. The result is that core components have now less
access.

This commit has no effect on non-Treble devices.

Test: Device boots -- no new denials
Test: Play movie using Google Play Movies and Netflix
Test: Play YouTube clip in YouTube app and in Chrome
Test: Unlock lock screen using fingerprint
Test: Using Google Camera, take a photo, an HDR+ photo, record a
      video with sound, a slow motion video with sound. Photos and
      videos display/play back fine (incl. sound).
Test: adb screencap
Test: $ monitor
      take screenshot
Test: In all tests, no deials to do with hal_*, except pre-existing
      denials to do with hal_gnss.
Bug: 37160141
Bug: 34274385
Bug: 34170079
Change-Id: I1ca91d43592b466114af13898f5909f41e59b521

Test: test_aaudio.cpp
Bug: 33398120
Change-Id: I0712f60c898136154d729ceb1103ee021cc6ab82
Signed-off-by: Phil Burk <philburk@google.com>
(cherry picked from commit 8b9d93f2)

As the platform progresses in the split SELinux world, the platform
will need to maintain mapping files back to previous platform versions
to maintain backwards compatibility with vendor images which have SELinux
policy written based on the older versions.  This requires shipping multiple
mapping files with the system image so that the right one can be selected.
Change the name and location of the mapping file to reflect this.  Also add
a file to the vendor partition indicating which version is being targeted that
the platform can use to determine which mapping file to choose.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I93ab3e52c2c80c493719dc3825bc731867ea76d4

With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
(cherry picked from commit 665128fa)

Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578

This reverts commit 97848f05.

Reason for revert: b/37218817

Change-Id: I3280be8873d60d66852b4f01f4af4eeaee6b5502

audioserver uses an always-passthrough Allocator HAL (ashmem / mapper)
whose .so is loaded from /system/lib64/hw.

Test: Modify hal_client_domain macro to not associate client of X HAL
      with hal_x attribute. Play Google Play Movies move -- no denials
      and AV playback works.
Bug: 37160141

Change-Id: I7b88b222aba5361a6c7f0f6bb89705503255a4b1

Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>

This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d949)

The concept of VNDK-stable set is gone because they no longer need to be
stable across several Android releases. Instead, they are just small set
of system libraries (other than Low-Level NDK) that can be used by
same-process HALs. They need to be stable only during an Android release
as other VNDK libraries. However, since they are eligible for double
loading, we still need to distinguish those libs from other VNDK
libraries. So we give them a name vndk-sp, which means VNDK designed for
same-process HALs.

Bug: 37139956
Test: booting successful with vndk-sp libs in /vendor/lib(64)?/vndk-sp
Change-Id: I892c4514deb3c6c8006e3659bed1ad3363420732

http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.

Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0

We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.

Bug: b/37129319
Test: built and confirmed that embms.apk not crashed

Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03