The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Change-Id: I9c948b58a969d35d5a5add4b6ab62b8f990645d1

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Change-Id: I864743943c11c18de386010ecd4b616721cb9954

Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791

This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.

Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331

Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd45479)

vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6

This neverallow exception is not needed.

Bug: 62875318
Test: build walleye, bullhead
Change-Id: Ide37ef9fe7a0e1cc4a1809589f78052007698cf5

vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6

Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a

shipping API version:

For devices shipped before Android P nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually

This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474

These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.

Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f

Bug: 62041836
Test: policies for internal devices build successfully

Change-Id: I6856c0ab9975210efd5b4bed17c103ba3364d1ab

Duplicate property names are supported now for prefix and exact
matching.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458

Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6

This reverts commit 07dd2c9e.

Reason for revert: albacore build broken

Change-Id: I551b1d8c008f01fb815e42b59d397feb9672b8e6

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405

This fixes an incorrect exception in the neverallow rule.

Test: Built policy for all lunch targets.
Change-Id: I283833131c6f1fd741e934de24c838594ac38a18

This reverts commit b40eb255.

Change-Id: I04d9e76152ed11ada4cabcc79bb4eec827f8abef

After offline discussions, we decided that this was the proper
exception to the neverallow rule.

Test: Built policy.

Change-Id: Ic1603bfdd803151ccfb79f90195b83b616acc873

This reverts commit 84f96859.

Fixes: 70874565
Reason for revert: massive logspam during phone calls.

Change-Id: If00e46535f71209eea999e4d5d499bf40a5f16fd

Test: Built the policy for many devices.
Change-Id: Ic61023dc2d597865504d1a4bc955bd1bc973f83c

Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.

Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r--  1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats

Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
    No "denied" or "granted" selinux messages observed in the logs.

Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef

Allow init to create a serialized property_info file and allow all
processes to read it.

Bug: 36001741
Test: boot bullhead, walleye using property_info

Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093

Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.

[ 2918.409108] type=1400 audit(2327427.540:159): avc:  denied
{ search } for  pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied

[   54.035867] type=1400 audit(59206654.526:12): avc:  denied  { chown }
for  pid=330 comm="recovery" capability=0  scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a

Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197

Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915

Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.

Bug: 35853185
Bug: 15575013
Bug: 69664758
Test: adb reboot recovery && adb sideload [file]
Change-Id: I22aa208859b8478a2a90e1ed1c0f0d6b62a6664e

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

(cherry picked from commit ba2130a8)

Change-Id: Iaedbbe31237822cf3348209028bba45ad85465f8

Self sideload OTA installation is aborted in #PPR1.171122.001.
Likely cause is the removal of the file-based OTA rules. Revert
the change while I investigate.

This reverts commit 73885755.

Bug: 35853185
Bug: 69664758
Bug: 15575013

Change-Id: I65ca3bad7251f06df33eae8b2d4bcfada93ae9b8

This reverts commit ba2130a8.

Test: lunch elfin-userdebug && m -j
Change-Id: I83e8a37cac97e2f994fd2defb94888ec73b41f3b

Commit 7688161c "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc

Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.

Bug: 35853185
Bug: 15575013
Test: adb reboot recovery && adb sideload [file]
Change-Id: I4238d17808bed6a81f47e14eb1797496c07642e2

This reverts commit ed876a5e.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4