Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4

When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3

* changes:
  Revert "Move thermal service into system_server"
  Revert "Expose thermal service to all apps"

This reverts commit 461d91fe.

Reason for revert: breaks git_pi-dev-plus-aosp

Change-Id: I8a42dc040a112f0774f31486a8da2a26e1e68a30

This reverts commit 52611966.

Reason for revert: breaks git_pi-dev-plus-aosp

Change-Id: Iddddb77e2d567002aed3844360284c4aeac4088d

* changes:
  Expose thermal service to all apps
  Move thermal service into system_server

Bug: 116754732
Test: Started a trace in Traceur using Perfetto successfully.

Change-Id: I217857bf1f43f1b7b24454687d1f26b9d5c6c56a

Thermal API has been added to PowerManager and this CL is to grant
IThermal access to app.

Bug: 119613338
Test: PowerManager CTS test
Change-Id: I977530a9a5490bdc53af1548788b885e7c649f01

Bug: 118510237
Test: Boot and test callback on ThermalHAL 1.1 and ThermalHAL 2.0

(cherry picked from commit 75cc6bf2)

Change-Id: Iafb376e61dc579c3bfd173ac34a4d525b83d8e5c

Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0

These selinux policy rules were added for bufferhub to run a binder
service. But later we decided to use a hwbinder service instead, and the
original binder service was removed in git/master. Now we can safely
remove these rules.

Test: Build passed. Device boot successfully without selinux denial.
Bug: 118891412
Change-Id: I349b5f0f2fa8fb6a7cfe7869d936791355c20753

Currently all NN services include this, so making it a default will
reduce NN service configuration.

Change-Id: I18531e57a7069076a208aefac4a545ba6c4379b0
Fixes: 120283437
Test: mma
Test: NeuralNetworksTest_static
Test: VtsHalNeuralnetworksV1_*TargetTest

Add a DeviceConfig service in system_server to edit configuration flags.
This is intended to be a command line tool for local overrides and/or
tool for tests that adopt shell permissions.

Test: None
Bug:109919982
Bug:113101834
Change-Id: Ib7bed752849b1ed102747e3202dd7aed48d2c6d5

I572ea22253e0c1e42065fbd1d2fd7845de06fceb introduced a whitelist, so
everything under tracing/ is assumed to be debugfs_tracing_debug
unless explicitly marked as debugfs_tracing.

Test: Device boots, labels under /sys/kernel/debug/tracing are unchanged.
Change-Id: Id0f0cbcc9e5540551bd2906fbf75f8e939dc4d4c

Allow traced_probes to read /sys/kernel/debug/tracing
directories in userdebug mode. We read the directory when enabling
events with the wild card syntax: "oom/*" which attmpts to read the
directory /sys/kernel/debug/tracing/events/oom to work out what oom
events exist.

Denial:
  avc: denied { read } for name="oom" dev="tracefs" ino=11353
  scontext=u:r:traced_probes:s0
  tcontext=u:object_r:debugfs_tracing_debug:s0 tclass=dir
  permissive=0

Bug: 119662403
Test: perfetto -t 10s 'oom/*' -o /data/misc/perfetto-traces/trace
Change-Id: I2cb171c3c5292d2eb55e71376f965b924a563572

Code in bionic / libcore will now look in the runtime
APEX module for data files.

Bug: 119293618
Bug: 119390260
Test: build / treehugger only
Change-Id: I965c763e7f0452b8ef5ffbf730733e9a41254beb

All these modules are being unconditionally added to
LOCAL_REQUIRED_MODULES a few lines down.

Test: make
Change-Id: I474c5d41e1a6dd34fd2c2f2d10299048df4c2b70

After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be

Add sepolicy rule to support audio system property
audio.offload.min.duration.secs

Bug: 120123518
Change-Id: Ie027eb9ef102caca13adb1924db3be11d02b25c7

This prevents denials while taking a bugreport.

Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t
android.security.cts.SELinuxHostTest#testNoBugreportDenials

Change-Id: I5414141a1557d71e3ac0cf5bc89529685e9069c3

Merge pie-platform-release (PPRL.181105.017, history only) into master

Bug: 118454372
Change-Id: I44d2461c1d8845d453fe587a77c2c06f9e1da2eb

Allow wifi HAL to use SIOCETHTOOL. This permission is needed to get
factory MAC address of the device.

Bug: 111634904
Test: Manual check that the device can get factory MAC address
Change-Id: I50e91ef7390ad4fba6e014990ee23feb777c4391

An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e