am: 0ba84942  -s ours

Change-Id: Ie42095397a6173d0d0ce91c007bfe3298f64bbfe

am: 664743bd

Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb

am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e

am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

am: 7add3d05  -s ours

Change-Id: I1fe69ed4c6d15720a2f64bc81a4d40b3d9582853

am: f9da0cba

Change-Id: I18e469059df1e8704f6358a12b012932a39303cd

am: 5fbb120b

Change-Id: Idf655a43a2258b56f8c8b1282dd6c430d7771cf6

am: 3e5bb807

Change-Id: I01f99884b0f8b06fa4938a606345c33918d8b295

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
(cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.

Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e
(cherry picked from commit 5fd60597d7d04c1861e7d8f3938384efb0384386)

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
(cherry picked from commit 3e5bb807)

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8

am: fcfeb3e0

Change-Id: Ib50c35e368764f7acb87e23c1a0091ad7eeb1fd4

am: e0e2b35b

Change-Id: I607a7bddad8d3d02b9df3d5a4fb826a716a1a967

am: d5d98a4d

Change-Id: I1dbcbcbb940fdcf94e2634f43d933c91bb13ce41

am: 55efefc3

Change-Id: Ib67a9685e41019a290c903dc5b733d405ddddf61

am: 77285737

Change-Id: I19c2b7107293fbe903cd6601f36b85aa3d099f80

am: 4e6f67fb

Change-Id: Ia3fe7f33ca0dc2f18040d3128ce84f0878fc8d63

am: 90ae4f6b

Change-Id: Ia793ed369cc05c123fb013fd10e8b19f006d92ff

am: f4ce8f6c

Change-Id: Ie0bc01a5b8acc6b79a3a31d5807f46f1e1df8c6c

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b3)

Commit: e58a8de5 added a new type
which has no analogue in 26.0.  Record it as such.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1

Commit: 86cb5215 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4

Commit: 38f0928f added a type for a
new system service.  This service did not exist previously, so mark
the type as not needing any compat entry.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd

Commit: 78e595de added a new hwservice,
which replaced a previous system service.  This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659

Bug: 37896931
Test: none, just update prebuilt.
Change-Id: Id940d1c2bc46deab1eb49bacebbb41069e2034e4

When moving SELinux rules from file_contexts to genfs_contexts, we
added some genfs rules to label specific files.  It turns out that one
of those files was the prefix of some other files, and since genfs
does prefix-labeling, those other files had their labels changed.

To fix this, we are changing the whole tracefs /instances/wifi from
debugfs_tracing_instances to debugfs_wifi_tracing (a few of the files
already had this label).  This simplifies the rules.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that the files
have the correct context and that wifi, camera, and traceur work.

Change-Id: Id62db079f439ae8c531b44d1184eea26d5b760c3

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"

am: 8b0f89e4

Change-Id: I6a75dc96a8e5994f22a8776a413d8a6a01da4fdd

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"