am: 1ecff6fa

Change-Id: I9e4aefbdc5ec712164cb2946cda4b51a3967c8c3

am: 45afc7a6

Change-Id: I73d31158b87c68fa5b4ee80e33a397bb1be7c010

Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22

am: 392c86e9

Change-Id: Id520704ad8a2be81648c33d2d1ef4a865badacd0

am: 4dd14f69

Change-Id: I60c3e0f1441aa4f548b1875e68f49c2047bf74e4

am: d437f0e0

Change-Id: Ib72b4435a8173a213f1ddb3331afc0bebf991029

am: d3ce5dc3

Change-Id: Ifd66a82a429b18f6e0077b042dccef38ddcd636d

Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2

vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff

am: 1c05f800

Change-Id: Icb9150c5828272df8ccfce8a4145df2f3c987c45

am: 63211f8d

Change-Id: If8aa9152a643522fc896b7a412d3fafb19043649

am: e2f8626e

Change-Id: If401e4107787e6620ed31115c45b7d594812dbe5

am: 871e44c4

Change-Id: I1c261dc247b93306c6d1a70dd0014532c84843c5

am: 3d49330b

Change-Id: I1ceaf1d95f07b8c4635a6055384cf6dcff932d51

am: 6456542f

Change-Id: I353c8d695a5c995f72fe865f27682a05011f8f55

ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8

/proc/interrupts may be dumped by dumpstate HAL if required.

Bug: 36486169
Test: 'adb shell bugreport' on sailfish

Change-Id: Ifc41a516aeea846bc56b86b064bda555b43c58ed
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 79005214

Change-Id: Icf0aefc596f8c3df64be9bc68b4c1f4243059747

am: e1a350a0

Change-Id: Ib2f28bdd5aa8dc1a6641f3f114965ac3ddec17e2

am: 6fcbd0f5

Change-Id: Ibc6947686cc6edf439e25cda9aaf5b1444da6c8c

am: cc45b87c

Change-Id: I17fe3e79b7f673a0703be5be7bb93838cd2f7ed6

am: a6445395

Change-Id: I7c47721f7fd0c30ce20c4948e412c1bb0d5b34f1

am: bbe7213f

Change-Id: I0c82b4e73e54cf7ac1f434c97558bd3cef3c36e7

Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c

Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b

Test: no neverallows triggered
Bug: 36494354
Change-Id: I52e21a9be5400027d4e96a8befdd4faaffb06a93

am: dfded77d

Change-Id: I3a6e966ad54f4ea505dacb5c60269cc733e9212c

am: fbd22279

Change-Id: I3c1c3d20bd28b656087643891b3a7d37aed6e01c

am: 9d5f97b3

Change-Id: Ic75010f7e11129e879a7eea1605969f2511f6fc9

am: 6de0d9a7

Change-Id: I7f971d6f1a9fe4247490070f2f00bede2b828494