* commit '303e139a':
  recovery: remove auditallow for exec_type:dir writes

* commit 'b76966d6':
  recovery: remove auditallow for exec_type:dir writes

With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.

Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd

* commit 'efb4bdb9':
  Eliminate CAP_SYS_MODULE from system_server

* commit '92b10ddb':
  Eliminate CAP_SYS_MODULE from system_server

Right now, the system_server has the CAP_SYS_MODULE capability.  This allows the
system server to install kernel modules.  Effectively, system_server is one
kernel module load away from full root access.

Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.

In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.

Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3

* commit '9905c883':
  Allow init to set up dm-verity

* commit '723e31ef':
  Allow init to set up dm-verity

Allow init to

 1. Access device mapper to set up dm-verity devices

    avc:  denied  { write } for  pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0

 2. Access the metadata partition to load and store dm-verity state

    avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0

 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
    by dm-verity

    avc:  denied  { getattr } for  pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0

These can be reproduced using the following steps:

 1. Add fs_mgr flag verify to the system partition in fstab

 2. Add a device specific init.rc handler for the init action that
    calls the built-in command verity_load_state.

Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba

* commit 'e44a431d':
  Revert "Drop special handling of app_data_file in mls constraints."

* commit '60cfe79f':
  Revert "Drop special handling of app_data_file in mls constraints."

This reverts commit 27042f6d.

Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager.  This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.

Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b

* commit '31a8511a':
  Record observed system_server servicemanager service requests.

* commit '23f33615':
  Record observed system_server servicemanager service requests.

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602

* commit '77a16b43':
  neverallow ueventd to set properties

* commit '3e113edf':
  neverallow ueventd to set properties

Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32

* commit '66d02db0':
  Allow platform_app access to keystore.

* commit '7bf1b897':
  Remove read access from mls constraints.

* commit '19eecd2d':
  Allow platform_app access to keystore.

* commit 'e8df21b2':
  Remove read access from mls constraints.

Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d

* commit '29b74271':
  Delete unconfined domain

* commit '547aa018':
  init: drop read_policy permission

* commit 'e4da594d':
  Delete unconfined domain

* commit '07e73489':
  init: drop read_policy permission

No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07

As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.

Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447

* commit '0f671bb0':
  init: remove permissive_or_unconfined()

* commit 'ed532c06':
  init: remove permissive_or_unconfined()

Bug: 19050686
Change-Id: Ie41c3e4d5aaeb43577ba85a4768a5fdbdd665efb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit 'de41e919':
  Create boot_block_device and allow install_recovery read access

* commit 'a8e073cd':
  Create boot_block_device and allow install_recovery read access

The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.

Addresses the following denial:

  type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

TODO: Add device specific labels for the boot image.

Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa

* commit 'ad9cb7e5':
  allow init tmpfs:dir relabelfrom