Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.

Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
      manual: marlin and <redacted> with artificially low temperature
      threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629

Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.

Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
      manual: taimen with artificially low temperature threshold and
      logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a

long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
(cherry picked from commit b8d14dc9a6b1593c4ad5210f3079bcac3a9aea33)

Remove "granted" logspam. Grante the observed permissions to the
individual processes that need them and remove the permission from
domain_deprecated.

avc: granted { read open } for comm="ndroid.settings"
path="/proc/version" dev="proc" ino=4026532081
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm=4173796E635461736B202332
path="/proc/pagetypeinfo" dev="proc" ino=4026532129
scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="uncrypt" path="/proc/cmdline"
dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0
tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="update_engine"
path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829
scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: granted { read open } for comm="tiveportallogin"
path="/proc/vmstat" dev="proc" ino=4026532130
scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0
tclass=file

This change is specifically not granting the following since it
should not be allowed:
avc: granted { read open } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for comm="crash_dump64" name="filesystems"
dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { getattr } for comm="crash_dump64"
path="/proc/filesystems" dev="proc" ino=4026532416
scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 64032843
Bug: 28760354
Test: build
Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665

This reinstates the selinux changes for the timezone service that
were reverted on oc-dr1-dev and undesirably merged down to master.

This reverts commit 96c619c8.

Test: make
Bug: 31008728
Change-Id: Ief2129c409de09b2782881a6556d918af59badd9

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

This reverts commit 50889ce0.

Bug: 62427402
Test: Build and boot.
Change-Id: I32eae7997c901981d3228b61f33322a7c2c84301

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

Also allow media.extractor to use media.cas for descrambling.

bug: 22804304

Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28

Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e

reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42

This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da

Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea0)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317