In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb)

Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy

This reverts commit 4e79b64e.

Reason for revert: broke something internal

Change-Id: Iec5f2c17fc768424c0b82936a069e42de0b66555

Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1

These denials occur fairly often, causing some logspam.

Bug: 77225170
Test: Boot device.
Merged-In: Icd73a992aee44007d0873743f706758f9a19a112
Change-Id: Icd73a992aee44007d0873743f706758f9a19a112
(cherry picked from commit a66d1a45)

Bug: 74182216
Test: build policy
Change-Id: Ice800c571e9be469dffa212c478c10e63b80deca

We only need this change for aosp devices. Internal sepolicy for healthd
domain is different and does not need this.

Addresses this denial:
avc: denied { open } for path="/sys/class/power_supply" dev="sysfs"
ino=25340 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=1

Test: $OUT/vendor/etc/selinux/precompiled_sepolicy contains the new
permission.
Change-Id: Ie47c231af800026fd9d8a1f752253bb338768c13

The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.

Test: Device boots and no more denials when call back is delivered to
      apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a

Give statsd rights to connect to perfprofd in userdebug.

Test: mmma system/extras/perfprofd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd

A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4

Use the user policy when running the compatibility tests.

Bug: 74344625
Test: Built policy for many devices.  Booted one device.
Test: Delete some compat rules, verify error on userdebug.
Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436

Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
(cherry picked from commit cc0304cf)

Verify that the SELabels used in property_contexts correspond to a
real type in the SEPolicy and that this type has the property_type attribute.

Additionally add a check that vendor property_context files do not
duplicate entries in plat property_contexts, and a similar check that
odm property_contexts doesn't duplicate either plat or vendor
property_contexts.

Bug: 74078792
Test: Build property_contexts on bullhead successfully
Test: See failure when using a faulty SELabel in property_contexts
Test: See failure when duplicating label in vendor and plat property_contexts
Change-Id: I4d2338dab68f1c5a8ed110aa7821f0677f61bafb

This reverts commit 6f2040f8.

Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that 
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.

Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784

This allows an optimization that consists in the "perfetto" cmdline
client passing directly the file descriptor for the output trace
to traced (as opposite to having traced streaming back the trace
data to "perfetto" and having that one doing the write() into file).
This reduces sensibly the memory traffic and CPU overhead of traces
with a minor change.

Bug: 73625179
Test: builds + perfetto_integrationtests w/ long_trace.cfg
Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2

The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.

Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
      atest android.net.cts.TrafficStatsTest
Bug: 75285088

Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6

Types in sysfs should have the sysfs_type attribute, types in
debugfs and tracefs should have the debugfs_type attribute.

TODO: Test that files in procfs have the proc_type attribute.
TODO: Assert these tests in CTS.

Bug: 74182216
Test: build - these are build-time tests.
Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf

Two areas need better coverage:
1. Tests are not verifying that files in /data/vendor do not have the
core_data_file_type attribute.
2. No error is thrown if a type lives in both /data/vendor
/data/<not vendor>.

Bug: 72998741
Test: build all selinux policies on master (assert build time tests)
Test: build and boot Marlin and Taimen, verify no selinux denials and
    everything works as expected.

Change-Id: I133a068123139a599b9b81ddcc254616894621eb
(cherry picked from commit 55d5e284)

ro.config.low_ram should be set on Android Go devices by SoC vendors,
and the value can be read by vendor components.

Bug: 76132948
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1

Based on the following audit message:

type=1400 audit(1521738979.005:385): avc: denied { write } for pid=1269
comm="Binder:1269_B" name="timerslack_ns" dev="proc" ino=254190
scontext=u:r:system_server:s0 tcontext=u:r:hal_audio_default:s0
tclass=file permissive=1

Bug: 74110604
Test: adb shell dmesg | grep hal_audio_default
Change-Id: I4c2e787588eb9d223d5e50e1bc8f67876de97c2e

Follow up to aosp/635599. It broke user builds again
despite being tree hugged because of b/74344625.
Adding missing ignore entries.

Bug: b/73340039
Change-Id: Iba195d571aec9579195d79d4970f760e417608c6

This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039