Also giving statsd permission to access it. This change copies the internal sepolicy to AOSP.

Bug: 111185513
Bug: 120551881
Test: make
Change-Id: I7e0386777e05580299caf9b97cb7804459f1a9d0

Add a DeviceConfig service in system_server to edit configuration flags.
This is intended to be a command line tool for local overrides and/or
tool for tests that adopt shell permissions.

Test: None
Bug:109919982
Bug:113101834
Change-Id: Ib7bed752849b1ed102747e3202dd7aed48d2c6d5

After b/28357356 /dev/alarm is no longer used by android platform.
Also, Pixel devices don't have /dev/alarm.

Bug: 110962171
Test: boot aosp_walleye
Change-Id: Id9723996104a2548ddf366489890c098d1ea87be

Add sepolicy rule to support audio system property
audio.offload.min.duration.secs

Bug: 120123518
Change-Id: Ie027eb9ef102caca13adb1924db3be11d02b25c7

Allow wifi HAL to use SIOCETHTOOL. This permission is needed to get
factory MAC address of the device.

Bug: 111634904
Test: Manual check that the device can get factory MAC address
Change-Id: I50e91ef7390ad4fba6e014990ee23feb777c4391

An incident.proto section has been added to the bugreport. Need
appropriate sepolicy changes to allow binder calls and fd access.

Bug: 119417232
Test: adb bugreport. Verify incident.proto is in the proto folder,
      and there are no sepolicy violations.

Change-Id: Iac27cbf283a2e1cb41862c76343c2b639f6c0e1e

We are making a change to uevent_open_socket() in libcutils related to
setting the receive buffer size of netlink uevent sockets.

After setting SO_RCVBUF, we immediately read it back using getsockopt()
to verify that the setsockopt() call was effective. Only if it was not
effective, we call setsockopt() with SO_RCVBUFFORCE.

getsockopt() previously caused SELinux denials like the following:

 avc: denied { getopt } for comm="usb@1.1-service" scontext=u:r:hal_usb_default:s0 tcontext=u:r:hal_usb_default:s0 tclass=netlink_kobject_uevent_socket permissive=0

Bug: 119933843
Change-Id: I7bbb1eb1fa7ade2c94afc52ab1e28762f86a7d1f

Adds the necessary incantations for the new service.

Bug: 118242715
Bug: 119026403
Test: build / boot / adb shell dumpsys
Change-Id: Ibb1a356067863316d70586a61ede9f5973c1ae15

Never use popen, just execvp directly

Test: Two tests
- Ensure Marlin device boots and vold_prepare_subdirs is called
successfully
- Try adb shell sm set-virtual-disk true, see that eg sgdisk output is
logged.
Bug: 26735063
Bug: 113796163

Change-Id: Icb34140429db85098a0118a2b833772e3620e7ac

This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause
the same issue.

Test: vold is able to create directories, ag/5534962

Bug: 116528212
Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3

This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.

Bug: 117990869

Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09

According to go/sedenials (internal dogfooding), coredomain access to
following types is not exercised and can be removed:
iio_device
radio_device
tee_device

Access to audio_device is still needed since some ALSA interfaces
(/dev/snd/*) are directly used by system_server.

Bug: 110962171
Test: m selinux_policy
Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad

Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5

Bug: 117762471
Test: m
Test: flash sailfish
Test: profile all running processes with setenforce 1

Change-Id: I71d41d06d2a62190e33b7e3e425a1f7b8039196e

Test: bugreport
Bug: 119809588
Change-Id: Ia688d68120daebc0a4feb51c4745535e1b371594

remount is needed for commiting checkpoints under f2fs

Test: vdc checkpoint commitChanges
Bug: 111020314
Change-Id: If7d4ab641b59d3e942d9d8a72bd91be08680227b

Hals have 3 attributes associated with them, the attribute itself, the
_client attribute, and the _server attribute. Only the server attribute
isn't expanded using the expandattribute keyword, and as a result, is
the only attribute which can be used in neverallow rules.

Fix neverallow rule to use hal_bootctl_server, which is not expanded,
instead of hal_bootctl.

Introduced in: https://android-review.googlesource.com/c/platform/system/sepolicy/+/777178

Test: policy compiles
Bug: 119500144
Change-Id: I8cff9cc03f4c30704175afb203c68f237fbd61ca

We introduced a new API to allow Device Owner to install an OTA file on disk.
This in turn requires system_server to be able to copy the OTA file to a known
OTA file location, call into update_engine to start the installation and let
update_engine to call back to the system_server to deliver any error conditions
asynchronously. This CL modifies the SELinux policy to allow these interaction.

Test: manual in TestDPC, CTS tests for negative cases: atest com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Change-Id: Id1fbea9111f753c5c80f270c269ecb9ef141cd79
Bug: 111173669

In recovery, everything is labeled rootfs, including
/system/bin/*. Allow postinstall to execute them in recovery.

Test: sideload
Bug: 116608795
Fixes: 119877813
Change-Id: I5682bdecd0df1cb9ff3bc968ea29449b0b8588f4

Commit ebc3a1a3 ("Move to ioctl
whitelisting for plain files / directories", Oct 10th), enabled ioctl
filtering on all files, including functionfs files. However, recovery
performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so
allow it.

Addresses the following denial:

  audit: type=1400 audit(673009.476:507811): avc:  denied  { ioctl } for  pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

Test: policy compiles.
Bug: 119877813
Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962

grant rw_dir_perms of dir
/data/server_configurable_flags to flags_health_check.te, in order to
enable flags_health_check to record reset flags data as file under this
dir for later use. See function:
server_configurable_flags::ServerConfigurableFlagsReset for how the
permission is used.

Test: manual on device
Change-Id: I1df7b8cadfbe279f26bf828e9e725ce170a376f7

Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5

This reverts commit 92bde4b9.

Reason for revert: Rebooting after OTA fails due to the
filesystem still seeing the old label on the device.

Bug: 116528212
Bug: 119747564
Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c
Test: rollback change

This is used for querying the installed packages, as well as
coordinating the installations of packages.

Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c

This is world-readable so it can be checked in libc's process init.

Test: m
Test: flash sailfish

Bug: 117821125

Change-Id: Iac7317ceb75b5ad9cfb9adabdf16929263fa8a9d

I added ro.bionic.(2nd_)?_(arch|cpu_variant) to vendor system
properties. And have init to write them to files under dev/.

This change set SELinux rules for these properties and files.

For the system properties: vendor/default.prop will set them. init will
read them.
For the files /dev/cpu_variant:.*: init will write them. bionic libc
will read them. (Basically world readable).

This is to allow libc select the right optimized routine at runtime.
Like memcpy / strcmp etc.

Test: getprop to make sure the properties are set.
Test: ls -laZ to make sure /dev/cpu_variant:.* are correctly labeled.

Change-Id: I41662493dce30eae6d41bf0985709045c44247d3

 * Account for all possible sdcard-related filesystem types and not only
   sdcardfs:

   public/file.te:108:type fuse, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:109:type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:111:type vfat, sdcard_type, fs_type, mlstrustedobject;
   public/file.te:112:type exfat, sdcard_type, fs_type, mlstrustedobject;

Change-Id: Ic508397bf4ca66a002ada33ac3f600c17b8a1a10

The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.

Silence the spam by allowing getattr on apex_mnt_dir.

Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable

Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c

The auditallow added in commit
7a4af30b ("Start the process of locking
down proc/net", May 04 2018), has not been triggered. This is safe to
delete.

Test: Policy compiles
Test: no collected SELinux denials
Bug: 68016944
Change-Id: Ib45519b91742d09e7b93bbaf972e558848691a80

cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".

Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c

device_config_flags_health_check_prop is used for enabling/disabling
program flags_health_check which is executed during device booting.
"1" means enabling health check actions in flags_health_check, other
values mean flags_health_check will not perform any action.

Test: build succeeded & manual test
Change-Id: I93739dc5d155e057d72d08fd13097eb63c1193b5

Add an InputFlinger service in system_server and allow SurfaceFlinger to
exchange sockets with it.

Test: None
Bug: 80101428
Bug: 113136004
Bug: 111440400
Change-Id: I1533ab7a1da0ca61d8a28037fffbc189d796f737

Auditallow added in commit 72edbb3e ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.

Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1

This will be needed if vendors remove a label, as vendor_init would
need to relabel from it (which would be unlabeled) to the new label.

Test: Build policy.
Change-Id: Ieea0fcd7379da26b2864b971f7773ed61f413bb9

1b1d133b added the process2 class but
forgot to suppress SELinux denials associated with these permissions
for the su domain. Suppress them.

Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule
in su.te is relevant. Inspired by
https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02

Add xdp_socket to various other neverallow rules.

Test: policy compiles.
Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

Remove the special case that allowed init to relabel app_data_file and
privapp_data_file. The auditallow added in
ab82125f has never triggered.

Bug: 80190017
Test: policy compiles
Test: no SELinux denials collected for the auditallow rule
Change-Id: Ide7c31e1a0628464ec2fcf041e8975087c39166d

It is unnecessary to use get_prop() rules for the su domain. The
su domain is always in permissive mode [1] and not subject to SELinux
enforcement. It's also possible these rules were added to avoid SELinux
denial log spam from showing up, however, there are already dontaudit
rules in place [2] to prevent this.

Delete the unnecessary rules.

[1] https://android.googlesource.com/platform/system/sepolicy/+/96b62a60c2ccae777fdcabe7d2ed28b52056860b/private/su.te#19
[2] https://android.googlesource.com/platform/system/sepolicy/+/96b62a60c2ccae777fdcabe7d2ed28b52056860b/public/su.te#42

Test: policy compiles
Change-Id: I5913f360738725bf915f0606d381029b9ba4318f

Test: vold is able to create directories, ag/5534962

Bug: 116528212

Change-Id: I61dd8802c13b1c42d334a80b678ca6a877848fc2

kmem_device was used to label /dev/mem and /dev/kmem. We already have
multiple layers of protection against those /dev nodes being present on
devices.

CTS checks that /dev/mem and /dev/kmem don't exist:
https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233

VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and
CONFIG_DEVMEM disabled:
https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2

Bug: 110962171
Test: m selinux_policy
Change-Id: I246740684218dee0cddf81dabf84d4763a753cde

Used by
https://android.googlesource.com/platform/external/ipsec-tools/+/bf16586a33b1432a11526754523fceb62944dc1c/main.c#116

Addresses the following denial:

audit(0.0:8126): avc: denied { ioctl } for comm="racoon" path="/dev/tun" dev="tmpfs" ino=25329 ioctlcmd=0x54ca scontext=u:r:racoon:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles.
Change-Id: Ia26077d4a9e810c7006d4b979d6b7e9ca154b485