Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a

The system server is responsible for providing the network traffic
stats to Apps and services. Allow it to directly reading the eBPF maps
that stored these information can make the process of getting traffic
stats simplier.

Test: No selinux rule violation of system server reading netd bpf object
Bug: 30950746
Change-Id: I6d9438d1ed7c9bab45a708f5d2a85eb22f5e8170

Bug: 63908748
Test: Able to boot
Change-Id: I14d8856d7aac7be9d1f26ecf5bfff69ea5ee9607

This will allow system_server to perfom path resolution on paths like:
/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc

Fixes this denial:
avc: denied { search } for pid=947 comm=system_server
name=800f000.qcom,spmi dev=sysfs ino=19891
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir permissive=0 b/68003344

Bug: 68003344
Test: walleye boots without the denial above.
Change-Id: Ib282395124c7f2f554681fcc713b9afe189f441c

Removing legacy rules. system_server now depends on Lights HAL (which
has its own domain) instead of /sys/class/leds.

Bug: 70846424
Test: sailfish boots; screen, flashlight work fine.

Change-Id: I6f116a599cab26ae71e45f462b33328bc8d43db5

Bug: 63757906
Test: manual testing conducted
Change-Id: Id03413ce82b5646d4bceddc59e16c7d5ee5bc193

This reverts commit 5744cbdf.

Reason for revert: aosp_dragon-userdebug build broken

Change-Id: I5f8180273c32119ae9839f31610bbca37cd05c65

Test: manual testing conducted see if it interfere's with AOSP

Change-Id: If47a663557b2ebf825fc082edb838ae085ec66b3

Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06

This is needed in order to get the stat-size of the files.

Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Change-Id: I1df0ba941e8f9ff13a23df4063acc3c4f1555c1b

/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>

Allow system_server to open profile snapshots for read.
System server never reads the actual content. It passes the descriptor to
to privileged apps which acquire the permissions to inspect the profiles.

Test: installd_dexopt_test
Bug: 30934496
Change-Id: I1d1f07a05261af25f6640040af1500c9a4d5b8d5

9b2e0cbe changed all uses of capability
to global_capability_class_set but accidentally omitted one entry.
Fix the one entry.

Test: policy compiles.
Change-Id: I1bb8c494a2660d9f02783c93b07d4238a2575106

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

Bug: 64831661
Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root dmesg | grep 'avc: '
Change-Id: I1578aac9e102246ec722c78a6e9efb5581259d81

- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

This reverts commit 248b6dc6.

Reason for revert: The dashboard complains that devices don't boot after this revert.

Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48

This reverts commit d1cf3a40.

Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.

Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06

Test: system server does not crash with this change
Bug: 67415855
Bug: 63920015
Change-Id: I3d0982220743137098dbc683d5c4aded105648c2

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0
Merged-In: I88219e32520006db20299468b7a8c7ce0bfa58e0
(cherry picked from commit fa6c3d7c)

When we removed /data/dalvik-cache execute permission for system_server
(b/37214733, b/31780877), I forgot to fixup this neverallow rule.
Fix rule.

Test: policy compiles.
Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e

BatteryService now serves batteryproperties_service
(previously served by healthd) to allow BatteryManager
to continue to work.

Test: boots (BatteryService correctly starts up)

Bug: 63702641
Change-Id: If5c4c82d58c960c966b03afa3fc7902cda04222b

rw access to sysfs_power file is not enough; in some cases search access
is also needed

Bug: 67895406
Test: system_server can access memory power statistics
Change-Id: I471e8e60626e6eed35e74e25a0f4be470885a459

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0

Bug: b/64399219
Test: Manual
Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
(cherry picked from commit c8bd93d7)

New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons

Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons

Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.

Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5

health@2.0 is a service used by BatteryService in framework.

Test: health hal works

Change-Id: I6cccf3ab085686fd67b0e048aaf201e64ec311c4

Renamed this type:
proc_asound_cards -> proc_asound

Labeled /proc/asound/devices as proc_asound.

We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.

Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.

Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

type=1400 audit(0.0:6): avc: denied { read } for comm="Thread-5"
name="cache" dev="dm-0" ino=13 scontext=u:r:system_server:s0
tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0

Bug: 64067152
Bug: 65843095
Test: build
Change-Id: Ie90c0343a834aa87b7ded41f503e05d9b63b3244
(cherry picked from commit a4cada74)

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: b/64399219
Test: Manual
Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796

Labeled:
/proc/asound/cards -> proc_asound_cards
/proc/loadavg -> proc_loadavg
/proc/pagetypeinfo -> proc_pagetypeinfo
/proc/version -> proc_version
/proc/vmallocinfo -> proc_vmallocinfo

system_server: added access to all new types  and removed access to proc label.
init: added access to proc_version.
dumpstate: added access to proc_pagetypeinfo, proc_version,
proc_vmallocinfo.
hal_audio: added access to proc_asound_cards.
all_untrusted_apps: extended neverallow rule to include new labels.

Bug: 65980789
Test: device boots without selinux denials to the newly introduced
labels.
Test: "adb shell dumpstate" throws no violations to new labels.
Change-Id: Ic60facd3d4776e38d5e3ba003d06ada4e52c7dca

Long live Binder.

Test: yes
Bug: 13758960
Change-Id: I11da7f14862024d9e9b901cfac1f22f1147174fa

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)

This change is the bare minimum needed to publish a new vold
Binder service and move the simple "reset" call over to go through
the new interface.

The new rules here are mirrored on the existing installd rules, but
with a handful of neverallow rules relaxed due to funky interactions
with hal_client_domain().

Test: builds, boots
Bug: 13758960
Change-Id: Ia9522ea7a68698cb0edce7879abfbf22b9d67c76

This reverts commit c12c7349.

Bug: 65206688

Change-Id: Ia2a04906f8585bf295b8c75e0b3d09490afb5d24

Before screencap was in its own domain, it was able to do
this by using all of shell's permissions.

The following denials are caused (along with times from running the below test command)
when screencap is invoked to write a file onto the sdcard:
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:23): avc: denied { read } for name="primary" dev="tmpfs" ino=19547 scontext=u:r:screencap:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:24): avc: denied { search } for name="/" dev="tmpfs" ino=19529 scontext=u:r:screencap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:25): avc: denied { search } for name="user" dev="tmpfs" ino=19535 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:26): avc: denied { read } for name="primary" dev="tmpfs" ino=31198 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:27): avc: denied { search } for name="/" dev="sdcardfs" ino=1310722 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:28): avc: denied { write } for name="image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:29): avc: denied { open } for path="/storage/emulated/0/image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:30): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:31): avc: denied { execute } for name="sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:32): avc: denied { read open } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:33): avc: denied { execute_no_trans } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I sh      : type=1400 audit(0.0:34): avc: denied { getattr } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.586  4990  4990 I sh      : type=1400 audit(0.0:35): avc: denied { ioctl } for path="socket:[57515]" dev="sockfs" ino=57515 ioctlcmd=5401 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.586  4990  4990 I sh      : type=1400 audit(0.0:36): avc: denied { getattr } for path="socket:[57515]" dev="sockfs" ino=57515 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.589  4991  4991 I sh      : type=1400 audit(0.0:37): avc: denied { execute_no_trans } for path="/system/bin/am" dev="dm-0" ino=1178 scontext=u:r:screencap:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:38): avc: denied { call } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:39): avc: denied { use } for path="/dev/null" dev="tmpfs" ino=19514 scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=fd permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:40): avc: denied { transfer } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.741   575   575 E SELinux : avc:  denied  { find } for service=activity pid=4992 uid=2000 scontext=u:r:screencap:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
08-30 21:03:32.749   837   837 I Binder:837_9: type=1400 audit(0.0:41): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=binder permissive=1

If /data/media/ is deleted, the following denials also occur:
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:43): avc: denied { search } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:44): avc: denied { read open } for path="/data/media/0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:48): avc: denied { write } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:49): avc: denied { add_name } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:50): avc: denied { create } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:51): avc: denied { setattr } for name="image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:53): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 01:04:29.741  6625  6625 W screencap: type=1400 audit(0.0:23): avc: denied { write } for name="0" dev="sdcardfs" ino=655364 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0

Test: adb shell screencap -p /sdcard/phone.png
Bug: 65206688
Change-Id: I808429b25fa3118fef7931050ab757c9bcd61881