system_server: replace sys_resource with sys_ptrace am: 3d8dde0e am: dddbd2f3 am: 5ee08053 am: 6b3ef921
am: ed21f855

Change-Id: I629201783c38c41032960e633f2a9f53eeadf8b9

am: 6b3ef921

Change-Id: Iefc3436c532f5f291345e3d01a1cbe175d69e619

am: 5ee08053

Change-Id: I530872c3d9a8ddf5a03353b27e75ea1043cd2ab2

am: dddbd2f3

Change-Id: I517d7bbd415e28d2ba7719f17c1ddcc7c28f20a0

am: 3d8dde0e

Change-Id: I19cb50ee62d217f025bb7fcf535257dac3b3610e

Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 44866954)

am: cf611a3b

Change-Id: I4bcad7c62a3b32868cfcd6496f608c5905ab79f7

am: e3be5d6b

Change-Id: I6f3544a3803217bd6380ebb9d7d0b84c403e60c2

am: 1a6fabea

Change-Id: I3b1a74f387cbf7388feb17f87f749964816df302

am: c4055f0d

Change-Id: I4f307d49476c1e84d8dd17d02f383d7c10a959fc

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

am: 7469d816

Change-Id: Ie36c6266cc3387bba02974fb65614c75c8bd1425

am: fcfda81b

Change-Id: Iefe805a99749c29865b7f871cd4fc3fe11e1e536

This reverts commit 8c60f74d.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c

am: c1e8f825

Change-Id: I2db7693bb8bb77e396602caa37286090791a4689

am: 216b377d

Change-Id: I2ff6397f145424266cd1091e338323cff283397c

Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.

Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.

Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478

am: 52711066

Change-Id: Ic937b16aebdfe046e425c98c0de0d0dfa4b5fc62

am: ce5ca4d0

Change-Id: I7f9cfa0a144ddfd796897446990f2b61108755c1

This is needed for devices using configfs, where init listens for
sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts
sideloading, minadbd (forked from recovery) sets the property to trigger
that action.

avc:  denied  { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0
scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
tclass=property_service

Bug: 35803743
Test: Device shows up in sideload mode.
Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4

am: 8741d4fe

Change-Id: Iae383ed802d0e8a78d30ded05dbe3e0817b439e5

am: c895f278

Change-Id: I49f55fba41b5242c7c4f36652afe9fee4808a349

Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58

am: 702605c6

Change-Id: I23b987ecccce6e9622b0e7844d00c14f6ef4d21b

am: 611202ef

Change-Id: If107d1d43e9247be68065d711f471e538830ee18

am: c8fd16c7

Change-Id: I49e7c18e18a400147e1662304d39e25eeae51c55

am: ca0a352a

Change-Id: If463e73dce4db829206a4907a5fa12bfbe347fb9

am: b49bc821

Change-Id: I4e13baad4cc463142b5899855e0613c5ea829c8d

am: 07667733

Change-Id: I0263926bbc950f0186bdd9a7fa3eb8b8f9072ee0

am: 4aac6fdb

Change-Id: I1614f394e0f0c071705e3696d3dd8124e72c24c2

am: 9686cbcd

Change-Id: Id0bacbd2022c24615b9e99108af1a8510be248fb

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions.  Here we add socket setopt
to selinux rules.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device

Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685