The following properties will be whitelisted.
- ro.hdmi.device_type, ro.hdmi.wake_on_hotplug and
persist.sys.hdmi.keep_awake for hdmi
- ro.sf.disable_triple_buffer for SurfaceFlinger
- media.stagefright.cache-params and persist.sys.media.avsync for
nuplayer

Bug: 78205669
Bug: 78430613
Test: succeeded building
Change-Id: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
Merged-In: I5ee1a1de72c265bca87aa041c6acd9554f5f8c07
(cherry picked from commit 18aaaad9)

This reverts commit aa38ce72.

Reason for revert: broken build

Change-Id: Ib6ca328576ef180fd1150ae6d6b3f90e928a07ac

When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323
Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54

Bug: 70637118
Test: m && emulator ; also verified on bat_land
Change-Id: I5d78eaf53f7df32837f113c14786f483955a8ac2

This will allow the logging in keystore to actually work.

Bug: 36549319
Test: keystore dropbox logging is successful
Change-Id: Ic135fa9624c289c54187e946affbd0caacef13c1
(cherry picked from commit 2e69afc079a175070279674be78aacbe4434c367)

am: ad3602d2

Test: Vendor security patch prop is properly labeled
Bug: 76428542
Change-Id: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
Merged-In: I034f2f2c9eab3667cfa92ea41b4b5f4afa1c7df7
(cherry picked from commit 15a9fbc2)

This allows for more native modes.

Bug: 73824924
Test: adb shell setprop persist.sys.sf.native_mode 2
Change-Id: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1
Merged-In: Iffdeadc8dc260de4b0c7f2b46aab08d64d25e3b1

Bug: 70637118
Test: build, flash and boot bat_land and owl automotive builds

Change-Id: I6db23258de30174d6db09d241e91b08aa5afedef

Bug: 77489941
Test: simulate delay in dumpstate HAL and get BR, see below from dumpstate_log.txt
    dumpstateBoard timed out after 10s, killing dumpstate vendor HAL
    dumpstateBoard failed: Status(EX_TRANSACTION_FAILED): 'DEAD_OBJECT: '
Change-Id: I90ed5cb8fe8da8ad21ae77676433936cb12d9d04

This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

(cherry picked from commit 673b4db7)

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e

Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a
Merged-In: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a

avc: denied { getattr } for path="/data" scontext=u:r:vendor_init:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

Bug: 78345561
Test: build/boot device. Denial is gone.
Change-Id: Ie858f1fe65aeb1845b00a5143c345e81aa2ec632

Bug: 77335096
Test: booted device with metadata encryption and without
Change-Id: I5bc5d46deb4e91912725c4887fde0c3a41c9fc91

Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
(cherry picked from commit 7d474279)

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
Merged-In: I468b8fd907c6408f51419cfb58eb2b8da29118ae
(cherry picked from commit 41e42d63)

FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e

The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Bug: 75322373
Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Merged-In: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 76384b3e)

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872c)

dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Merged-In: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
(cherry picked from commit 4de238e9)

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27

Tombstoned unlinks "trace_XX" files if there are too many of them.

avc: denied { unlink } for comm="tombstoned" name="trace_12"
scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0
tclass=file

Bug: 77970585
Test: Build/boot taimen. adb root; sigquit an app.

(cherry picked from commit eb8f938f)

Change-Id: I2f29d12f747d688f8f4e06b48cf72c5109adc2ae

Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.

Bug: 77881566
Test: build
Merged-In: I78f80400e5f386cad1327a9209ee1afc8e334e56
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
(cherry picked from commit db465285)

Values of the following properties are set by SoC vendors on some
devices including Pixels.
- persist.bluetooth.a2dp_offload.cap
- persist.bluetooth.a2dp_offload.enable
- persist.vendor.bluetooth.a2dp_offload.enable
- ro.bt.bdaddr_path
- wlan.driver.status

So they should be whitelisted for compatibility.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
Merged-In: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
(cherry picked from commit 224921d1)

Denials:
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5684): avc: denied { search } for name="1376" dev="proc" ino=204553 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app_27:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.795   903   903 W traced_probes: type=1400 audit(0.0:5685): avc: denied { search } for name="1402" dev="proc" ino=204554 scontext=u:r:traced_probes:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
04-12 12:42:47.801   903   903 W traced_probes: type=1400 audit(0.0:5686): avc: denied { search } for name="1496" dev="proc" ino=204557 scontext=u:r:traced_probes:s0 tcontext=u:r:untrusted_app:s0:c85,c256,c512,c768 tclass=dir permissive=0
04-12 12:42:47.805   903   903 W traced_probes: type=1400 audit(0.0:5687): avc: denied { search } for name="1758" dev="proc" ino=204563 scontext=u:r:traced_probes:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0

Bug: 77955286

Change-Id: If0985d3ddd7d14c2b139be1c842c9c8df99b90db

Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Bug: 77908066
Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac
(cherry picked from commit a3b3bdbb)

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
(cherry picked from commit bf4afae1)

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
(cherry picked from commit 985db6d8)

Change-Id: Id7823a3130443107beb4d97426807a6395cf6930
related-to-bug:74607984
test:adb bugreport and check for drm trace dumps

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d
Merged-In: I5d7a029f82505983d21dc722541fb55761a8714d
(cherry picked from commit 0dc35873)

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

(cherry picked from commit c8fe29ff)

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Merged-In: Ie000a00ef56cc603f498d48d89001f566c03b661
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

This reverts commit 942500b9.

Bug: 75287236
Test: boot a device
Merged-In: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
(cherry picked from commit a6d9d6b6)

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0