What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229

Change-Id: I19a9051a0ff3863db1be9ff706a8b31b1c151419

am: 368c7c08

Change-Id: Iad5faaaffc92f669a1eb6887ecb1d2ecaa246ee6

am: 10b250df

Change-Id: I1bbfc88a988bb5519cbd91fb5dd0e6d212e42b39

This reverts commit c855629e.

Reason for revert: breaks builds for some devices in master

Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b

am: 4c8eaba7

Change-Id: Ic97b8aafa7f6edcf54e08230905b34500fbe677e

am: 2581761e

Change-Id: I42e8156eddf6315ff13fe16ad8ed7bc550f31c40

am: f5a1b1bf

Change-Id: Idd4890670d766d71d4b2f6feb0066993ca079b90

am: a8131148

Change-Id: Idf41a715fd959069be989a2d2000c21afad6290b

am: ecc09871

Change-Id: I43f3d98669537d24879f3a734e2684968813e148

am: a26763ec

Change-Id: I7f4be177f11ec0211b492b74f2c342df50d2617f

This change assumes that init need access to types, access to which
was not audited.

go/sedenials reports additional types needed by init: pmsg_device and
tty_device.

Bug: 110962171
Test: m selinux_policy
Change-Id: I227956b2c12efeef68cbfa041b9604d4e4f9b967

Start enforcing the use of ioctl restrictions on all Android block
devices. Domains which perform ioctls on block devices must be explicit
about what ioctls they issue. The only ioctls allowed by default are
BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX.

Test: device boots and no problems.
Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867

Remove most of /proc/net access for priv_apps. Files in /proc/net leak
unique device identifiers and side channel information about other app's
network connections.

Access for most third party applications was removed in commit
d78e07cb. This change applies the same
constraints to priv-apps that we apply to normal apps.

Bug: 114475727
Bug: 9496886
Bug: 68016944
Test: policy compiles and device boots
Change-Id: I5c41ba57fcd6b81d72c4f3a40b310d2188fc79c3

Allow a process to determine if a fifo_file (aka pipe, created from the
pipe() or pipe2() syscall) is a tty.

Addresses the following denials:

type=1400 audit(0.0:1307): avc: denied { ioctl } for comm="ls" path="pipe:[213117]" dev="pipefs" ino=213117 ioctlcmd=5401 scontext=u:r:hal_dumpstate_impl:s0 tcontext=u:r:hal_dumpstate_impl:s0 tclass=fifo_file permissive=0
type=1400 audit(0.0:22): avc: denied { ioctl } for comm="sh" path="pipe:[54971]" dev="pipefs" ino=54971 ioctlcmd=5401 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=fifo_file permissive=0 app=com.zhihu.android
type=1400 audit(0.0:237): avc: denied { ioctl } for comm="sh" path="pipe:[56997]" dev="pipefs" ino=56997 ioctlcmd=5401 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=fifo_file permissive=0 app=fm.qingting.qtradio

Test: policy compiles and device builds.
Change-Id: Ic4c6441d0ec33de8cda3f13ff529e98374897364

No functional change. This reorg just makes it easier to perform diffs
against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors

Test: policy builds.
Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b

apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.

The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.

Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists

Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67

When running some apps in vendor partition, it report denials like:

avc: denied { getattr } for comm="Binder:901_2" path="/vendor/operator/app/Wechat/Wechat.apk" dev="sde14" ino=1707 scontext=u:r:mediaserver:s0 tcontext=u:object_r:vendor_app_file:s0 tclass=file permissive=0

am: afdcd959

Change-Id: Id2fe422a32a818648e7c31f27a5a894396061627

What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175

am: 5a7b8206

Change-Id: I753b83b0f59aa5ecec568ffb3cd11d88de99011c

am: a73f58ae

Change-Id: I573c72eb0795862a498772e74cb7f230876fa914

The ioctl number varies between MIPS devices and other devices.

Test: policy compiles.
Change-Id: I107ccd2eca626148d2573f51753ec433e20d6b74

Add a neverallow rule requiring fine-grain ioctl filtering for most file
and socket object classes. Only chr_file and blk_file are excluded. The
goal is to ensure that any file descriptor which supports ioctl commands
uses a whitelist.

Further refine the list of file / socket objects which require ioctl
filtering. The previous ioctl filtering did not cover the following:

1) ioctls on /proc/PID files
2) ioctls on directories in /dev
3) PDX unix domain sockets

Add FIONCLEX to the list of globally safe ioctls. FIOCLEX and FIONCLEX
are alternate, uncommon ways to set the O_CLOEXEC flag on a file
descriptor, which is a harmless operation.

Test: device boots and no problems.
Change-Id: I6ba31fbe2f21935243a344d33d67238d72a8e618

Addresses the following denial:

type=1400 audit(0.0:51894): avc: denied { ioctl } for comm="MtpServer" path="/dev/usb-ffs/mtp/ep1" dev="functionfs" ino=30291 ioctlcmd=0x6782 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=0 app=com.android.providers.media

Test: policy compiles.
Change-Id: I5290abb2848e5824669dae4cea829d4cbea98ab4

am: bab267a8

Change-Id: I2ae046cd9434b983abe6366bd72e595b48ddfdf4

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35

am: 247f061a

Change-Id: Ibec2927b80068cedc0c7ba7391e6fe53d9ae0892

am: 888b9213

Change-Id: I11b5fcd8a8ff1429b8454c87bab3c4a3b7b39372

Input files are public API:
https://source.android.com/devices/input/input-device-configuration-files
Now that they have labels from core policy (aosp/782082), we can tighten
up our neverallows.

Bug: 37168747
Test: m selinux_policy
Change-Id: Ifaf9547993eb8c701fb63b7ee41971ea4e3f7cf9

am: 9c22895c

Change-Id: Icf1b28c653ed40e827ad087dec13bcd02b9ba484