These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.

Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability

Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16

Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b

Add label update_engine_log_data_file for log files created by
update engine in directory /data/misc/update_engine_log.

Bug: 65568605
Test: manual
Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9

* changes:
  init: label /proc dependencies and remove access to proc
  init: refactor access to proc_* labels.

avc: denied { getattr } for comm="sAsyncHandlerTh"
path="/data/cache/recovery" dev="sda13" ino=7086082
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
avc: denied { getattr } for path="/data/cache/backup"
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:cache_private_backup_file:s0 tclass=dir

Bug: 63038506
Bug: 35197529
Test: build police
Change-Id: I51624c255e622bf712d41ca1bbf190ec3e4fefae
(cherry picked from commit fcf1b2083935bd298a2ece8d6d0c18712865a04b)

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2

Bug: 68949041
Test: device builds, boots, no denials from init.

Change-Id: Iedefac8d70512fd614ca06117f42a7887f6ab649

1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c

/sys/power/state is labled as sysfs_power now. Allow charger to
write to it instead of writing to sysfs.

Test: no denials for charger on this file
Change-Id: Idf8c2656fa1094a69a627c1a705a83893bf3afb3

Test: system server does not crash with this change
Bug: 67415855
Bug: 63920015
Change-Id: I3d0982220743137098dbc683d5c4aded105648c2

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd

Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
Change-Id: Ic7a212ce226dcfa4b363ed1acd3b2a249cee576b

domain based tmpfs file access has getattr, read and write.

However newer kernels support map. Add this map permission so they
can use mmap based access.

Test: build test.

Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>

These are no longer used.

Test: build aosp_marlin
Bug: 34980020
Change-Id: I04e4aa2322fcdf5945b99967d88287c353b9a6ae

This will be used to enforce data separation between platform and
vendor.

Test: build
Bug: 34980020
Change-Id: Ia312f00068d3982c7aae7e35bd0c96a6eb9ea3be

Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
This CL does not change runtime behavior.
Change-Id: I82c520579b986ea2a4a6f030ec60d5345c00b54f

Test: manual(installd flow without sepolicy denials)
Bug: 67111829
Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Bug: 68792382
Test: build aosp_sailfish-user
Test: build aosp_sailfish-userdebug
Test: CP to internal and build walleye-user
Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7

This reverts commit 502e43f7.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249

This denial affects marlin as well

Test: The associated denials are properly tagged with this bug
Change-Id: Ie90f1ac8c9a930465d8b806d77c2975c5f046403

Test: code compiles.
Change-Id: I2677ebdaf7ca491c60697da9d3ebf5a5d8cb5036

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

Default health service needs following permissions to work:
- read /sys/class/power_supply
- uevent
- wakelock

Bug: 63702641
Test: no denials for health service

Change-Id: I2f3aed3ef3b5ac024da17d9d5400d9834038df9f

avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0
avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0

Bug: 68040531
Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c

The permission was removed in
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/
but is still needed in order to optimize application code.

Denial example:

10-26 16:29:51.234   894  1469 D PackageManager.DexOptimizer: Running
dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar
pkg=com.google.android.gms isa=[arm64]
dexoptFlags=boot_complete,public,secondary,force,storage_ce
target-filter=quicken

10-26 16:29:51.253  2148  2148 W Binder:695_5: type=1400 audit(0.0:39):
avc: denied { read } for name="0" dev="sda35" ino=917506
scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file permissive=0

Test: adb shell cmd package reconcile-secondary-dex-files
com.google.android.googlequicksearchbox
adb shell cmd package compile -m speed --secondary-dex
com.google.android.gms

Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56

Bug: 65643247
Test: adb sideload an ota package
Test: mount /system
Test: view recovery logs
Test: run graphics test
Test: run locale test
Test: wipe data/factory reset
Test: factory reset from Settings app
Tested on sailfish; no selinux denials to sysfs type are observed.

Change-Id: Ic8487d53d90b7d1d050574e0b084627d1b6abdba

Addresses these denials when wiping data on sailfish:

avc:  denied  { open } for  pid=488 comm="mke2fs_static"
path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0
tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=488 comm="mke2fs_static"
name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=488 comm="mke2fs_static"
name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1

Test: Wipe data/factory reset -> no selinux denials
Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc