Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d

Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>

Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579

After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.

Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5

Only init and ueventd have any access to /dev/port, and neither should
have any use for it. As it stands, leaving port in just represents
additional attack surface with no useful functionality, so it should be
removed if possible, not only from Pixel devices, but from all Android
devices.

Test: The phone boots successfully

Bug:33301618
Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f

media framework analytics are gathered in a separate service.
define a context for this new service, allow various
media-related services and libraries to access this new service.

Bug: 30267133
Test: ran media CTS, watched for selinux denials.
Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca

/data/bugreports is moving to /bugreports

Bug: 27262109
Bug: 27204904
Bug: 32799236
Test: new symlink is in /bugreports and is labeled correctly
Change-Id: Ib6a492fba8388bf43debad28cfc851679f8c6151

urandom_device and random_device have the exact same security
properties. Collapse them into one type.

Test: device boots and /dev/urandom is labeled correctly.
Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41

HAL policy defines how the platform and a given HAL interact, but not how the
HAL is implemented.  This policy should be represented as an attribute that all
processes implementing the HAL can include.

Bug: 32123421
Test: Builds.
Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15

Allow SurfaceFlinger to call into IComposer, and vice versa for
IComposerCallback.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

binder_call(..., surfaceflinger) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1

allow ... gpu_device:chr_file rw_file_perms for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... graphics_device ... for
avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

allow bootanim ...:fd use for
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

Bug: 32021609
Test: make bootimage
Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588

Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13

Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536

The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83

Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8

Bug: 31180823
Test: reduced sepolicy errors
Change-Id: Ibfba2efa903adec340e37abec2afb3b94a262678
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Bug: 31177288
Test: reduced sepolicy errors
Change-Id: I29556276ee14c341ac8f472875e6b69f903851ff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Bug: 32022100
Test: end to end
Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7

Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813

Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d

Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>

Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1

Test: built and ran on device.
Bug: 31442830
Change-Id: Idd7870b4dd70eed8cd4dc55e292be39ff703edd2

Renaming vibrator sepolicy to remove the version number.
Also moving the related binder_call() to maintain alphabetical order.

Bug: 32123421
Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
Test: booted, and checked vibrate on keypress on bullhead

Fixes the following denials:
avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1

Test: m
Bug: 32021191
Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c

N/A

Test: builds
Change-Id: I10a53c07f5b56c362cc599a901a2d74d7e96e917
Signed-off-by: liminghao <liminghao@xiaomi.com>

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

No core android component needs access to /dev/snd/{seq,timer}, but
currently audioserver, bootanim, init, system_server and ueventd have
access. Seq and timer have been the source of many bugs in the past
[1]. Giving these files new labels without explicitly granting access
removes access from audioserver, bootanim, and system_server.
Init and ueventd still require access for /dev setup.

TODO: Explore unsetting CONFIG_SND_TIMER device kernels.

[1] https://github.com/google/syzkaller/wiki/Found-Bugs

Test: media CTS "cts-tradefed run cts -m CtsMediaTestCases" on Bullhead
and Dragon completed with no denials.

Bug: 29045223
(cherry picked from commit db4510d8)
Change-Id: I2d069920e792ce8eef70c7b4a038b9e7000f39f5

android.hardware.nfc@1.0-service is the generic binderized
HIDL package implementation of android.hardware.nfc@1.0

Denials:
avc: denied { read write } for pid=432 comm="android.hardwar"
name="pn548" dev="tmpfs" ino=10228
scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_device:s0 tclass=chr_file

avc: denied { search } for pid=443 comm="Binder:430_1" name="nfc"
dev="dm-0" ino=670433 scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_data_file:s0 tclass=dir

Test: pass

Change-Id: Id022b8d1706253ef65a37406c74ff883e12415b2
Signed-off-by: Iliyan Malchev <malchev@google.com>

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88

avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=binder permissive=1

avc: denied { bind } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { call } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { getattr } for path="/proc/4355/net/psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { ioctl } for path="socket:[28193]" dev="sockfs" ino=28193 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { ioctl } for path="socket:[34821]" dev="sockfs" ino=34821 ioctlcmd=8933 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=1
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { net_raw } for capability=13 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=1
avc: denied { open } for path="/proc/2754/net/psched" dev="proc" ino=4026535377 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/class/net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="net" dev="sysfs" ino=10488 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { read } for name="psched" dev="proc" ino=4026535370 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { transfer } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { write } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=1
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=netlink_socket permissive=0
avc: denied { net_admin } for capability=12 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=capability permissive=0
avc: denied { read } for name="net" dev="sysfs" ino=9862 scontext=u:r:wifi_hal_legacy:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
avc: denied { create } for scontext=u:r:wifi_hal_legacy:s0 tcontext=u:r:wifi_hal_legacy:s0 tclass=udp_socket permissive=0

Bug: 31352200
Test: can boot angler & bullhead and start/stop HAL repeatedly
Change-Id: Ide93730d362fb93602742fc10b22fff6e7d56f6b

Bug: 31466840
Change-Id: I3984754034349e6c41de6ae9cccbaab95ca5a918

Change-Id: I07d188e4dd8801a539db1e9f3edf82a1d662648e
(cherry picked from commit 61a082a55dbc2798d50d0d4b766151d69334729a)

(cherry picked from commit eb717421)

The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.

Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.

Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b

(cherry picked from commit 6c3f2831)

Allow priv_app, uncrypt, update_engine to access the OTA packages at
/data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks
the existence of the folder, and downloads the package there if present.

Bug: 28944800
Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5

(cherry picked from commit d3edd6b5)

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

(cherry picked from commit e8a53dff)

With the breakup of mediaserver, distinguishing between
camera_device and video_device is meaningful. Only grant
cameraserver access to camera_device.

Bug: 28359909
Change-Id: I0ae12f87bac8a5c912f0a693d1d56a8d5af7f3f3

While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.

Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.

Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f85)

avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994
(cherry picked from commit 7d13dd80)

This sepolicy change allows wificond to run as a deamon.

BUG=28865186
TEST=compile
TEST=compile with ag/1059605
  Add wificond to '/target/product/base.mk'
  Adb shell ps -A | grep 'wificond'

Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d
(cherry picked from commit 4ef44a61)

Give debug versions the same rights as non-debug versions for
ART.

Change-Id: I9906d100c3857c3a87344ff37aabc53107562c61