This hwservice isn't registered with hwservicemanager but rather passed
to the thermal hal, so it doesn't need sepolicy associated with it to
do so.

Test: manual: boot, inspect logs
Test: VtsHalThermalV1_1TargetTest
Bug: 109802374
Change-Id: Ifb727572bf8eebddc58deba6c0ce513008e01861
Merged-In: Ifb727572bf8eebddc58deba6c0ce513008e01861

This reverts commit b5dc6137.

Reason for revert: Reverted incorrect change

Change-Id: Ieafa3338e28ffeed40bcceb73486cffbfbd08b9d

This reverts commit faebeaca.

Reason for revert: broke the build

Change-Id: I3d61ce011ad42c6ff0e9f122de3daa37e846407a

This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.

Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
      devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192

This property is read by the audio service in system server to toggle
camera shutter sound enforcement on a device-specific basis.

Test: Camera shutter sound enforcement works when audio.camerasound.force is set
Bug: 110126976
Change-Id: I2720d3c699c4712d1a328f59dde0b16bbf1016f3

This adds a label for system properties that will affect system-wide
time / time detection logic.

The first example will be something like:
persist.time.detection_impl_version

Bug: 78217059
Test: build
Change-Id: I46044f1e28170760001da9acf2496a1e3037e48a

Add sepolicy entries for the new time zone detector service.

The timezonedetector_service will be called from the
telephony process.

Bug: 78217059
Test: make / booted device
Change-Id: Ib719a4bb444b2af7dd71910fb0bd12992df9d88c

init, dumpstate and shell

Test: check avc for init is now gone
Bug: 7232205
Bug: 109821005
Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5

This change removes references to the common time management
service.

Bug: 80462439
Test: build / boot
Merged-In: I2c8fca44fe05e3a35f5580d23e23a4c033075613
Change-Id: I2c8fca44fe05e3a35f5580d23e23a4c033075613

Bug: 80414790
Test: boots
Change-Id: I3d6bb4e7da9d697ec8ff7502880543be89aee349

This commit contains the changes needed to add the new
time detector system server service.

Bug: 78217059
Test: make / booted device
Change-Id: I7cfaac6cac876e4aa73e8af1aa5f837117bb9ad7

(breaks vendor blobs, will have to be regenerated
after this CL)

This moves mediacodec to vendor so it is replaced with
hal_omx_server. The main benefit of this is that someone
can create their own implementation of mediacodec without
having to alter the one in the tree. mediacodec is still
seccomp enforced by CTS tests.

Fixes: 36375899
Test: (sanity) YouTube
Test: (sanity) camera pics + video
Test: check for denials
Change-Id: I31f91b7ad6cd0a891a1681ff3b9af82ab400ce5e

Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
(cherry picked from commit 2208f96e)

shipping API version:

For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa7)

Introduce a standalone live-lock daemon (llkd), to catch kernel
or native user space deadlocks and take mitigating actions.

Test: llkd_unit_test
Bug: 33808187
Bug: 72838192
Change-Id: If869ecd06e5ce7b04bba1dafd0a77971b71aa517

Bug: 79228237
Test: audit2allow finds no relevant denials on boot
Merged-In: Ia80b77ba9a1ec2354127cd0ef68d50ebcf593fb0
Change-Id: Ia80b77ba9a1ec2354127cd0ef68d50ebcf593fb0

Bug: 70637118
Test: build, flash and boot automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef
Merged-In: I6db23258de30174d6db09d241e91b08aa5afedef
(cherry picked from commit 394dbe34)

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be28894)

Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 08731895)

* Note on cherry-pick: Some of the dependent changes are not in AOSP.
In order to keep hostapd running correctly in AOSP, I've modified this
change to only include policy additions.

Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947
Merged-In: Ibacfcc938deab40096b54b8d0e608d53ca91b947
(cherry picked from commit 5bca3e86)

com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Had to use precise property definition as com.android.phone accesses
test properties as well.

Test: compile
Bug: 78245377
Change-Id: I2cc810846f8615f2a2fae8e0d4f41de585b7abd7

This reverts commit 0ab13a8d.

Reason for revert: broken presubmit tests
https://sponge.corp.google.com/target?show=FAILED&sortBy=STATUS&id=83e847b2-8e30-4417-9b15-8e66af4b2bc3&target=DeviceBootTest

Change-Id: Id173c8e7fa28ba04070f507098f301f076e4aae7

com.android.server.power.PowerManagerServiceTest#testGetLastShutdownReasonInternal due to "RuntimeException: failed to set system property"

W/roidJUnitRunner: type=1400 audit(0.0:6): avc: denied { write } for name="property_service" dev="tmpfs" ino=13178 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
W/libc    : Unable to set property "test.sys.boot.reason" to "shutdown,thermal": connection failed; errno=13 (Permission denied)

Test: compile
Bug: 78245377
Change-Id: Id21436d281bab27823969a9f7e92318d70b5a2d6

Vendor public libs are exposed to apps (not system), and their ABI
stability is guaranteed by vendor. Introducing new selinux type so that
we don't conflate concepts of same-process HAL and vendor public lib.
The former is exposed to all domains, while the latter should only be
acessible by apps.

Bug: 76413554
Test: build-only change, policy builds
Change-Id: I89dad351374f46c7fe2726991eb4c05064c37ed5

Test: manual
Bug: 78318738
Change-Id: I45c3511860fbe6a1de45c6930052a8865b38986a

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91

This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e

Create a new label for /data/system/dropbox, and neverallow direct
access to anything other than init and system_server.

While all apps may write to the dropbox service, only apps with
android.permission.READ_LOGS, a signature|privileged|development
permission, may read them. Grant access to priv_app, system_app,
and platform_app, and neverallow access to all untrusted_apps.

Bug: 31681871
Test: atest CtsStatsdHostTestCases
Test: atest DropBoxTest
Test: atest ErrorsTests
Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b)

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd6520)

This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250

This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9)

A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4

This reverts commit 6f2040f8.

Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that 
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.

Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784

Follow up to aosp/635599. It broke user builds again
despite being tree hugged because of b/74344625.
Adding missing ignore entries.

Bug: b/73340039
Change-Id: Iba195d571aec9579195d79d4970f760e417608c6

Test: manual
Bug: 75318418
Change-Id: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7

To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.

Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a

Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.

Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1