Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf

Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7

Test: denials go away
Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8

* changes:
  mac_permissions: explicitly label all mac_permissions files
  sepolicy: explicitly label all sepolicy files
  seapp_context: explicitly label all seapp context files
  file_context: explicitly label all file context files
  service_contexts: label service_contexts explicitly
  prop_context: correctly label all property_context files

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I949d62b3528cadb4bfe6f5985c25d1f497df0d5a

As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895

We don't want to prevent access from vendor platform apps to system app
data. The issue with the referencing system_app explicitly in
neverallows is that vendor platform apps which need sandboxes similar to
system_app cannot be placed under system_app without modifying the
policy for all platform apps.

Test: mmm system/sepolicy
Change-Id: Ic0052602c31be4d74b02eeea129e2d8bfbd9c8d3

*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36527360
Test: no new 'sepolicy_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19
Signed-off-by: Sandeep Patil <sspatil@google.com>

seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.

Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospServiceContexts

Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>

split property context file in vendor and sytem were left untouched by
the recent changes. This was working accidentally because they were
still accessible to all domains as 'system_file'.

Bug: 36002573
Test: Boot sailfish to observe no new denials.
Test: 'adb sideload' OTA on sailfish successfully

Change-Id: I5bec058b59db83d2a431e9f7e91c5a09af7d2942
Signed-off-by: Sandeep Patil <sspatil@google.com>

Unescaped apostrophe is not permitted inside macros.

Test: mmm system/sepolicy -- no warnings
Bug: 34980020
Change-Id: I893a41508d8b62975771967fd6e40e50d188c7c1

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197

am: 53047f6d

Change-Id: I6e4dac9c891dae5318651a8a44fd7da34e86964c

am: e2acb915

Change-Id: I86368e4febe04d7dddc718316c1788c46f6ecb74

am: ad38a45c

Change-Id: I0d974996ee28e0cff0a5a59de66ce2247c1c254a

In f5446eb1 I forgot to let violators
of "no Binder in vendor" rule keep their access to /dev/binder. This
commit fixes the issue.

Test: mmm system/sepolicy
Bug: 35870313
Bug: 36657020
Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae

am: ab1fad17

Change-Id: I4c7ea7e2bd41950d5203660af7058895b83870ab

am: 2f4df755

Change-Id: I4a273520e7a5a92f5739f413d8773ddb3c6a259a

am: 915c0070

Change-Id: I6899ca877d1ccf0a3d475fd34cfffc00eacdf23d

am: d34c7eef

Change-Id: Ieb708734a6578e9f7bc43731e6b297704f8f3937

am: aa5feec9

Change-Id: I3ba818c67e9134161dfd9c74d9fdb52f0bd51bef

am: 5a9410cf

Change-Id: I4cf02d403a045bce6da96939406a886197f5a1a5

On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003

am: a4960ef9

Change-Id: Ia6fbb2aae4d5c66e868e43b279748a7a96ae3bf7