This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3

getattr for trace_data_file:dir permissions was missing, impacting
functionality.

Bug:68126425
Test: Traceur functionality is properly working
Change-Id: I2c8ae5cf3463a8e5309b8402713744e036a64171

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

Now that init no longer uses it.

Fixes: 70846424
Test: no neverallows tripped
Change-Id: I5c22dd272b66fd32b4758c1dce659ccd98b8a7ba

Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36

This util allows init to turn off the screen
without any binder dependencies.

Bug: 70846424
Test: manual + init use
Change-Id: I4f41a966d6398e959ea6baf36c2cfe6fcebc00de

Sepolicy for the usb daemon. (ag/3373886/)

Bug: 63669128
Test: Checked for avc denial messages.
Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af

Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).

This CL adds the service type, and grants priv_app to access the service.

Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f

Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e

Test: boots
Test: hwservicemanager can read these files
Bug: 36790901
Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09

Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda

Selinux violations while calling dump() on statsd by bugreport.

avc: denied { call } for scontext=u:r:dumpstate:s0 tcontext=u:r:statsd:s0 tclass=binder permissive=1
denied { use } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1
avc: denied { write } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1
avc: denied { getattr } for path="pipe:[411602]" dev="pipefs" ino=411602 scontext=u:r:statsd:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1

Test: manual
Change-Id: I46c5b119548378cc80c6e4498d00edad5959d188

Bug: 70846424
Test: neverallow not tripped
Change-Id: I9e351ee906162a594930b5ab300facb5fe807f13

Bug: 65643247
Test: builds, the change doesn't affect runtime behavior.

Change-Id: I621a8006db7074f124cb16a12662c768bb31e465

This is needed to allow system apps to know whether security
logging is enabled, so that they can in this case log additional
audit events.

Test: logged a security event from locally modified KeyChain app.
Bug: 70886042
Change-Id: I9e18d59d72f40510f81d1840e4ac76a654cf6cbd

avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:proc_version:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:wifi_prop:s0 tclass=file
avc: denied { read } scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:net_dns_prop:s0 tclass=file

Bug: 72151306
Test: build
Change-Id: I4b658ccd128746356f635ca7955385a89609eea1

Since /odm is an extension of /vendor, its default property contexts
should be consistent with ones of /vendor.

Bug: 36796459
Test: tested on wahoo devices
Change-Id: Ia67ebe81e9c7102aab35a34f14738ed9a24811d3

Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

CpuFrequency.java seems to be the only thing that depends on
/sys/devices/system/cpu in system_server. And according to
b/68988722#comment15, that dependency is not exercised.

Bug: 68988722
Test: walleye boots without denials to sysfs_devices_system_cpu
Change-Id: If777b716bf74188581327b7f5aa709f5d88aad2d

If a UID is in an idle state we don't allow recording to protect
user's privacy. If the UID is in an idle state we allow recording
but report empty data (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.

Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
      Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
              -t android.media.cts.AudioRecordTest

bug:63938985

Change-Id: I8c044e588bac4182efcdc08197925fddf593a717

There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.

07-04 23:48:53.646   503   503 I auditd  : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100   582   582 I auditd  : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0

Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5

Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a

Duplicate property names are supported now for prefix and exact
matching.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458

The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)

Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6

This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

Label /vendor/etc/selinux/* as vendor_configs_file.

Bug: 62041836
Test: build system/sepolicy
Test: walleye boots
Change-Id: I617a3287860e965c282e9e82b4375ea68dbca785

Bug: 71861796
Test: no more denials on walleye for shell init scripts
Change-Id: I51eab267c95a915f927b0aaa7db9d678a83093c7

Bug: 38206971
Test: test on phone
Change-Id: Id34ab2673c7a16744fba77eb5c176e2e8b474299
Merged-In: Id34ab2673c7a16744fba77eb5c176e2e8b474299

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

Addresses:
avc: denied { chown } for comm="vold_prepare_su" capability=0
scontext=u:r:vold_prepare_subdirs:s0
tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability

Bug: 71796118
Test: build
Change-Id: I64b2f1ad8d6e0748c5820b8a37a4fc4f4101d1fb

Point logspam to its owner.

Bug: 71537285
Test: build
Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

and pulling metrics

Bug: 63757906
Test: manual testing conducted
Change-Id: Ieba524ee676dfb4a457d39d025d203bf02a70831

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405

communicate with statsd

Test: manual testing conducted
Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e