am: 86123070

Change-Id: I92cf85d8c6cd05bd76ab9745546ac8051535d2ca

am: 72126e1b

Change-Id: I58972c23929e81f27d28eff0dd66f21240311b7e

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b

am: df720941

Change-Id: I4590b07ef09247aaf632a09f3247c2314d2a1a63

CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf

am: b9bd6708

Change-Id: Ie76de5da8e9a370e2f744d158ead93bbc1d0a508

am: 82696dd1

Change-Id: Ib04932a421523eb50c2e40bf24000ae58ac7a535

am: 8ee64187

Change-Id: I6c035c3e696531297ff8a3c09045acf6d2c98cd0

am: 462cf398

Change-Id: I12d310b90e6863a56c1fc269ce237e93864d88f8

am: ee97662f

Change-Id: I6e2eba3f0081494508b015f6bd785085638f1cee

darwin's getopt() doesn't like putting arguments
in the wrong order.

Test: Mac/Linux builds
Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5

am: f497d0b7

Change-Id: I8b75d668cbc30b81731aed7421327a3f2f4b19a8

We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.

Bug: b/37129319
Test: built and confirmed that embms.apk not crashed

Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03

* changes:
  Allow 'su' domain access to vndbinder.
  Modify checkfc to check (vnd|hw)service_manager_type.

am: 77154b39

Change-Id: Ia6c653fcab261084d6dcbb3d3ec8e3311fdf4fca

am: 84b3879a

Change-Id: I64c0a4e8ae9978fe8b809e21ae8b3e9b0b3feb98

am: 04ef57bf

Change-Id: I906f85514efb4301ac0bafaf140deba7be76cdee

Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.

Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.

Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a

For example, for listing vndbinder services
using 'adb shell service -v list'

Test: adb shell service -v list
Bug: 36987120
Change-Id: Ibf3050710720ae4c920bc4807c9a90ba43717f3b

added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783

am: 42424f13

Change-Id: Id9375a6dc3688408e306bdc051fec4d8754d07eb

am: ed3458c2

Change-Id: I47746d594572760d25b569fb877351c4f1ea1628

am: f79d1904

Change-Id: I7bda1cd1af603adc5fbf142c66bdf5b6b146ad7f

am: df679fdb

Change-Id: I4f0d343f42d8bc5c97b2a7c129c63c8e7c50cd3d

am: 9075699a

Change-Id: If3e3e246b7ef5ed0142bc7b180d4d7cfb559ea03

am: 1b5f81a2

Change-Id: Ic9e87837f68ac31cfedd735bd20a44cdf029c79e

* changes:
  sepolicy: fix comments around 'domain' access to search in /vendor
  sepolicy: remove redudant rule for symlinks in /vendor/app
  sepolicy: restrict access for /vendor/framework.
  sepolicy: restrict /vendor/overlay from most coredomains
  sepolicy: restrict /vendor/app from most coredomains

This is a necessary first step to finalizing the SELinux policy build
process.  The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.

This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.

(cherry-pick of commit: 0e9c47c0)

Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.

Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375

am: 38416182

Change-Id: I9e08b187ccad4f4263de54aae1248b1691aa7d08

Some of the same process HAL labeling was missing from Marlin.
These are identified by tracking library dependencies.

Bug: 37084733
Test: Build and boot sailfish. The change allows the labelled libraries
      to be opened by any domain. So, the boot test is sufficient.

Change-Id: Id55e834d6863ca644f912efdd690fccb71d3eaf3
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 133a9c41

Change-Id: I2991bcea9893c2b9cd2b320e4ef1b071126f133e

All accesses to /vendor/app within platform include permissions to read
symlinks in the location. This rule is redundant now.

Bug: 36806861
Test: Boot sailfish and find no denials for 'vendor_app_file'

Change-Id: Ic17a67521cff6717d83b78bb4ad8e21e772f6d4f
Signed-off-by: Sandeep Patil <sspatil@google.com>

/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.

Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
      'vendor_framework_file'

Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>