Remove the exemptions for untrusted apps and broaden the neverallow so
they can't be reinstated. Modifying executable pages is unsafe. Text
relocations are not supported.

Bug: 111544476
Test: Builds.
Change-Id: Ibff4f34d916e000203e38574bb063513e4428bb7

avc:  denied  { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability
avc:  denied  { module_load } for  pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system
avc:  denied  { search } for  pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key

Bug: 111916071
Test: ueventd can insert modules
Change-Id: I2906495796c3655b5add19af8cf64458f753b891

Bug: 111883560
Test: fsck runs successfully during early mount
Change-Id: I697d0ab8ba51824d5c5062b48370a73438311566

vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.

Addresses the following denial:

  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

While I'm here, add mmap() support to other areas where it's likely
needed.

Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75

The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d

Test: none
Change-Id: I5023f3f3f9362d456f30c81ec67580509101e81e

vold will trim rw mount points about daily, but it is denied by SELinux:

root   603   603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied {
search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0
tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0

Allowing vold to search /mnt/vendor/* to fix the denials.

Note that device-specific sepolicy needs to be extended to allow vold
to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs:

    allow vold persist_file:dir { ioctl open read };

Bug: 111409607
Test: boot a device, checks the above denial is gone
Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad

Fixes -Wzero-as-null-pointer-constant warning.

Test: m
Bug: 68236239
Change-Id: Ib3f0a25a5129c34d94ebebff818feb5e6fd349dd

Bug: 80414790
Test: boots
Change-Id: I15233721fa138e0fdf1a30f66d52b64cbab18b81

Bug: 72458734
Test: Compile current system sepolicy with P vendor sepolicy
Test: Plug in a P device then do:
m selinux_policy
cp $OUT/system/etc/selinux/plat_sepolicy.cil  plat_sepolicy.cil
cp $ANDROID_BUILD_TOP/system/sepolicy/private/compat/28.0/28.0.cil 28.0.cil
adb pull /vendor/etc/selinux/plat_pub_versioned.cil
adb pull /vendor/etc/selinux/vendor_sepolicy.cil
secilc plat_sepolicy.cil -m -M true -G -N -c 30 28.0.cil \
plat_pub_versioned.cil vendor_sepolicy.cil
Change-Id: I399b3a204eb94bee0ba1b5024b1c3463219c678e

This is so we can get data on which apps are actually doing this.

Bug: 111544476
Test: Device boots. No audits seen on test device.
Change-Id: I5f72200ed8606775904d353c4d3d790373fe7dea

Steps taken to produce the mapping files:

1. Add prebuilts/api/28.0/[plat_pub_versioned.cil|vendor_sepolicy.cil]
from the /vendor/etc/selinux/[plat_pub_versioned.cil|vendor_sepolicy.cil]
files built on pi-dev with lunch target aosp_arm64-eng

2. Add new file private/compat/28.0/28.0.cil by doing the following:
- copy /system/etc/selinux/mapping/28.0.cil from pi-dev aosp_arm64-eng
device to private/compat/28.0/28.0.cil
- remove all attribute declaration statement (typeattribute ...) and
sort lines alphabetically
- some selinux types were added/renamed/deleted w.r.t 28 sepolicy.
Find all such types using treble_sepolicy_tests_28.0 test.
- for all these types figure out where to map them by looking at
27.0.[ignore.]cil files and add approprite entries to 28.0.[ignore.]cil.

This change also enables treble_sepolicy_tests_28.0 and install 28.0.cil
mapping onto the device.

Bug: 72458734
Test: m selinux_policy
Change-Id: I90e17c0b43af436da4b62c16179c198b5c74002c

Cut down on logspam during kernel_net_tests

Test: /data/nativetest64/kernel_net_tests/kernel_net_tests
Change-Id: Id19f50caebc09711f80b7d5f9d87be103898dd9a

Bug: n/a
Test: n/a
Change-Id: I11e6baaa45bcb01603fc06e8a16002727f4e5a00

Test: debuggerd -j `pidof system_server`
Change-Id: I6cca98b20ab5a135305b91cbb7c0fe7b57872bd3

Add selinux policy for the new Binder-based vr flinger vsync service.

Bug: 72890037

Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.

- Confirmed the CTS test
  android.security.cts.SELinuxHostTest#testAospServiceContexts, when
  built from the local source tree with this CL applied, passes.

- Confirmed the CTS test
  android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
  when built from the local source tree with this CL applied, passes.

Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06

* changes:
  vold: not allowed to read sysfs_batteryinfo
  full_treble: coredomain must not have access to sysfs_batteryinfo

It doesn't need to read batteryinfo to function properly.
Bug: 110891415
Test: builds and boots

Change-Id: I7f388180a25101bfd0c088291ef03a9bf8ba2b2c

... but should do it via health HAL and healthd.

Bug: 110891415
Test: builds
Change-Id: Ib124f82d31f1dfbe99a56475dba04a37f81bdca3

Add new sepolicy rules to support audio system properties

Bug: 110564278
Change-Id: If774a40b50e56f9e83bcb4ab8a84581dc03058ad

Create one _system and one _nonsystem target, which together contains
the same artifacts as before, just split by whether they go on the
system partition or not.

The product build hierarchy is being refactored to be split by
partition, so these targets facilitate inclusion of just the
system parts where necessary. Also keep the selinux_policy target
around for products that don't need the split.

Bug: 80410283
Test: for t in eng userdebug user; do lunch mainline_arm64-${t}; m nothing; done
Test: verified walleye /system and /vendor identical before and after, via:
Test: /google/data/rw/users/cc/ccross/bin/compare-target-files.sh P6259983 walleye-userdebug "SYSTEM/*" "VENDOR/*"
Test: only diffs are in build.prop files (timestamps and the like)

Change-Id: I0f5d8a1558a164ce5cfb7d521f34b431855ac260

Bug: 110900684
Change-Id: I9fd141e0d56d0135c563467b7ca2f08b6af6700b`

Export /proc/sys/kernel/perf_cpu_time_max_percent and
/proc/sys/kernel/perf_event_mlock_kb in proc_perf. So
they can be read in shell and written by init.

This is needed by simpleperf to control cpu percent and
memory used for profiling.

Bug: 110706031
Test: build and boot hikey960 successfully.

Change-Id: I2a01f583508003ab73427bab30a7982a27dfa677

This should be supplement for the change here:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/708638



When test the cts libcore.libcore.io.OsTest#test_socketPing test case, it will fail
with avc denial message like following:

[ 1906.617027] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617189] type=1400 audit(1530527518.195:10496): avc: denied { read write } for comm="netd" path="socket:[32066]" dev="sockfs" ino=32066 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617206] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617313] type=1400 audit(1530527518.195:10497): avc: denied { getopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1906.617330] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1
[ 1907.832425] type=1400 audit(1530527518.195:10498): avc: denied { setopt } for comm="netd" lport=2 scontext=u:r:netd:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=icmp_socket permissive=1

Test: run cts -m CtsLibcoreTestCases -t libcore.libcore.io.OsTest#test_socketPing

Change-Id: If41cb804292834b8994333f170d1f7f837bcd7df
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>

Test: adb logcat | grep "Wrong interface type."

Bug: 77924251
Change-Id: Idf9d7ae6db0d41bb0c2f94b2183bfe23f0c21155

This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861