am: 65d364b9

* commit '65d364b9':
  SELinux rule for ro.device_owner and persist.logd.security

They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038

am: 8632b9e4

* commit '8632b9e4':
  domain_deprecated.te: drop cache_recovery_file access

am: 4cd2f530

* commit '4cd2f530':
  priv_app.te: drop auditallows on cache_recovery_file

am: 527d29a8

* commit '527d29a8':
  kernel.te: drop allow kernel untrusted_app:fd use;

am: 2309ef8f

* commit '2309ef8f':
  vold.te: drop allow vold toolbox_exec:file rx_file_perms;

auditallow says not needed.

Change-Id: Iafa048377e159ca3c7cc1f31653002c41ef9ef2b

auditallow says not needed.

Change-Id: If44f64aeb5d0be78fd166d1b3eee298c5f7c860d

This is actually used. Addresses the following SELinux audit logs:

  avc: granted { create } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { add_name } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/command" dev="mmcblk0p38" ino=23 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { setattr } for comm="Thread-157" name="uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file

Change-Id: Idab00ebc8eacd7d8bb793b9342249227f91986a1

auditallow says it's not used.

Bug: 25331459
Change-Id: Ic414efcd0a3be6d744ab66382c20f0ea4c9ea116

am: c15e1036

* commit 'c15e1036':
  camera_device: remove type and add typealias

am: 87a73f19

* commit '87a73f19':
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's

* changes:
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's

am: eed6bbdc

* commit 'eed6bbdc':
  adbd.te: remove allow adbd toolbox_exec:file rx_file_perms

am: bc301caa

* commit 'bc301caa':
  ppp.te: Remove allow ppp toolbox_exec:file rx_file_perms;

am: 24739a6a

* commit '24739a6a':
  netd.te: Remove allow netd toolbox_exec:file rx_file_perms;

am: 2c109405

* commit '2c109405':
  racoon.te: Remove allow racoon toolbox_exec:file rx_file_perms;

auditallow says never used.

Change-Id: I789f32bd7d2bbfc583a12bf8a05662e812f09a38

no SELinux denials from auditallow

Change-Id: Ied61f7f97b148b1c10d0f71e9ab30c136a123738

auditallow says no denials.

Change-Id: Ib4e38f5393d3f3ba67277017abc848f5e7c04efd

auditallow says never used.

Change-Id: I6a3f82740bfecf483e0ccbb528b7218af36d37b8

Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: 5de7574a

* commit '5de7574a':
  Revert "fc_sort: initial commit"

Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d14688.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a

am: c68a277f

* commit 'c68a277f':
  fc_sort: add NOTICE file

Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: 2dea4525

* commit '2dea4525':
  fc_sort: initial commit

am: c29b2fc4

* commit 'c29b2fc4':
  drop dhcp auditallow

toolbox_exec is executed by dhcpcd-run-hooks.

Addresses the following auditallow log spam:

  avc: granted { read open } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read } for comm="setprop" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute } for comm="dhcpcd-run-hook" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute_no_trans } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read execute } for comm="setprop" path="/system/bin/toybox" dev="dm-0" ino=639 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: Ib83c291961a5573397830032a67a2f6861ae2e71