am: 3d8dde0e

Change-Id: I19cb50ee62d217f025bb7fcf535257dac3b3610e

Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 44866954)

am: 87a56541

Change-Id: I56c57b4a2e2ef71dd2eceb58a78c4e7e7628da00

/data/bugreports is moving to /bugreports

Bug: 27262109
Bug: 27204904
Bug: 32799236
Test: new symlink is in /bugreports and is labeled correctly

(cherry picked from commit d314376d)

Change-Id: Ia9aca3ff642b2171e9b0ece7c2b420a0d38006cc

am: c6c8da37

Change-Id: I2dcb374609183a4460891c936757319d91064682

am: adf210d6

Change-Id: I0386db7e81ed5e6a6c032adb1173163f45ad726e

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e

am: c6effa90

Change-Id: Id257877621b9375bca7d32e68d90c7a5c2a91f5d

Allow bootanim process to access audioserver service.

Bug: 31651778
Change-Id: I5bec8812877792b1df3b37dddc5ccea3b243f5c4

am: a60342b7

Change-Id: I2d7c99660b6bb9b45922f1203cb1eafe90659238

bug: 30963384

(cherry picked from commit 63203a01)

Change-Id: Ifa4b9a645f8edcf51e3f025316106e5b65a4790d

am: 7e380216

Change-Id: I827a8b38264906bd06a8fefb9c3a8209dbc1035f

Bluetooth is sometimes started from init.

Addresses the following compiler error:

  libsepol.report_failure: neverallow on line 489 of
  system/sepolicy/domain.te (or line 9149 of policy.conf) violated by
  allow init bluetooth:process { transition };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy

Change-Id: I2bc1e15217892e1ba2a62c9683af0f3c0aa16b86

am: c55cf17a

Change-Id: I48f8bbfab4cdd36e6f1555919ff5d032c07af0a2

am: eedacf83

Change-Id: I4b23d564c6a4787180fea2c1530cc78808cbd0d0

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

Allow the otapreopt rename script to read file attributes. This is
being used to print the aggregate artifact size for diagnostic
purposes.

Bug: 30832951
Change-Id: Iee410adf59dcbb74fa4b49edb27d028025cd8bf9

The recovery flow for A/B devices allows to sideload an OTA downloaded
to a desktop and apply from recovery. This patch allows the "recovery"
context to perform all the operations required to apply an update as
update_engine would do in the background. These rules are now extracted
into a new attributte called update_engine_common shared between
recovery and update_engine.

Bug: 27178350

(cherry picked from commit d63084d3)

Change-Id: I1f3e1e83a21e37e09b69cd9c497f87b42b9cbeb1

am: 320a0f54

Change-Id: I6aec72f8175839f4fefeb50f86fedc4202c776b8

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e

avc: denied { read } for comm="generic" path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35" ino=1114120 scontext=u:r:drmserver:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file

Change-Id: I40992733d779743be92c15a094d166a3df64a10f
Fixes: 30167454

(cherry picked from commit d743ddea)

avc: denied { search } for comm=73657276696365203139 name="app" dev="sda35" ino=770049 scontext=u:r:adbd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0

Bug: 30000600
Change-Id: I86958ebcca815ee1779f85fb425592493f40101a

Addresses the following denial:
     avc: denied { setsched } for pid=1405 comm="Binder:1094_3" scontext=u:r:system_server:s0 tcontext=u:r:bootanim:s0 tclass=process permissive=0

Maybe fix bug 30118894.

Bug: 30118894
Change-Id: I29be26c68094c253778edc8e4fef2ef1a238ee2e

Needed for legacy VPN access.

Note that ioctl whitelisting only uses the type and command fields
of the ioctl so only the last two bytes are necessary, thus 0x40047438
and 0x7438 are treated the same.

Bug: 30154346
Change-Id: I45bdc77ab666e05707729a114d933900655ba48b

For Retail Demo mode, we need to preload photos in
/data/preloads and allow regular apps to access the
photos returned by the media provider from the preloads
directory.

Bug: 29940807
Change-Id: Ic1061dac55ace1b125ae04b5b0c70aae9aa0c732

am: 479712b0

Change-Id: I926aa0ab56d0758e66a7fa9d01a8be70937baa67

(cherry-pick from commit 68d67a0f)

shell, system_app and logd access granted on debug builds only

Add logd.logpersistd as well

Bug: 28936216
Bug: 28788401
Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135

avc:  denied  { find } for service=drm.drmManager pid=4320 uid=1027 scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Arrange in alphabetical order.

Bug: 30112127
Change-Id: I6592497a937c6a6d2c7c3d444beba3db333f4852
(cherry picked from commit 24ad5862)