Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d1)

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5

am: 8966b8e5

Bug: 74435522
Test: traceur can share to betterbug
Change-Id: Ic24196b6a4050696d92f18a6879c569ccf5eaec7
(cherry picked from commit f66fd522)

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
Merged-In: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
(cherry picked from commit 558cdf1e)

Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457

avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Only untrusted apps had privilegs to read file descriptors passed in
from traceur, which was an oversight. This fixes the policy so that priv
apps can also access file descriptors from traceur in order to read
reports shared from traceur.

Bug: 74435522
Test: better bug has access to reports shared from traceur
Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f

Bug: 72668919
Test: build
Change-Id: Id156b40a572dc0dbfae4500865400939985949d9

Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63

system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).

This CL adds the service type, and grants priv_app to access the service.

Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375

avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_version:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:wifi_prop:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:net_dns_prop:s0 tclass=file

Bug: 72151306
Test: build
Change-Id: I4b658ccd128746356f635ca7955385a89609eea1

This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405

communicate with statsd

Test: manual testing conducted
Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e

Bug: 63908748
Test: built, flashed, able to boot
Change-Id: I3cfead1d687112b5f8cd485c8f84083c566fbce2

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

No sign of these denials getting cleaned up, so supress them in core
policy.

Test: build
Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

(cherry-pick of 5637587d
which was in AOSP and internal master but not stage-aosp-master)

Bug: 62102757
Test: Builds and boots.
Change-Id: I0394907e808c737422e644aec452baa3e777cf6f

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

Clean up ~50 denials such as:
avc: denied { getattr } for comm="highpool[2]" path="/system/bin/bufferhubd" dev="dm-0" ino=1029 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:bufferhubd_exec:s0 tclass=file
avc: denied { getattr } for comm="highpool[3]" path="/system/bin/cppreopts.sh" dev="dm-0" ino=2166 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cppreopts_exec:s0 tclass=file
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/system/bin/fsck.f2fs" dev="dm-0" ino=1055 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:fsck_exec:s0 tclass=file

Bug: 62602225
Bug: 62485981
Test: build policy
Change-Id: I5fbc84fb6c97c325344ac95ffb09fb0cfcb90b95

This reverts commit c147b592.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005

This reverts commit c00c07c1.

Change-Id: I0c4f5e8cece9c48672a5210adb7e8427e4fd427a

This reverts commit c147b592.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005

Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

Bug: 36463595
Test: sailfish boots without new denials

Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)

Test: trigger dumpsys storaged from GMScore
Bug: 37284569
Change-Id: Ie734ce5487a69f8cc29dd73d470229fe81cd1176

Only privileged apps are supposed to be able to get unique IDs from
attestation.

Test: CTS test verifies the negative condition, manual the positive
Bug: 34671471
Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578

Bug: 34766843
Test: gts-tradefed run gts -m GtsBootloaderServiceTestCases -t \
      com.google.android.bootloader.gts.BootloaderServiceTest
Change-Id: I8b939e0dbe8351a54f20c303921f606c3462c17d

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

Also allow media.extractor to use media.cas for descrambling.

bug: 22804304

Change-Id: Id283b31badecb11011211a776ba9ff5167a9019d

Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e

reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42