Bug 25454162

Change-Id: I3cd299ce28bf6235605265c47762969851845b78

Bug: 27221797
Change-Id: Ie490eac5e7581ce21ca5377c3b46b48c647a335b

Give dex2oat/patchoat link rights in /data/ota to produce a patched
image.

Give zygote rights to relabel links. Also give the zygote rights to
unlink, which is required when relabeling fails (to clean up the
dalvik-cache).

Bug: 25612095
Change-Id: I28bfb9cbeabe93b1f68ada9bcaf29f4f60028c2f

This is needed to kill sockets using the new SOCK_DESTROY
operation instead of using SIOCKILLADDR.

Bug: 26976388

(cherry picked from commit b38e2790)

Change-Id: Id80c6278f19f9fd20fe8d4fca72f84bff9249ed8

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

scheduling_policy_service is needed for high speed video recording.

Bug: 26982110
Change-Id: I377516c9d86d68e7024a67d04742baa841ff8907

Add rule to address dir search violation for video_device

bug:27115708
Change-Id: I14bad283af1ddda725e41d0100a09e6066519846

Access to proc is being removed but there are still some consumers.  Add
an auditallow to identify them and adjust labels appropriately before
removal.

Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5

Bug: 27065131
Change-Id: I15c058eb46981ea3e03eccb4da132055ecae7efb

Large numbers of denials have been collected.  Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.

(cherry-pick from commit: 0b80f4dc)

Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a

Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.

(cherry picked from commit 29adea51)

Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Data type tracking is no longer needed now that per
key validation routines are supported.

(cherry picked from commit c92dae98)

Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.

This makes it harder than it should be to add new key value
pairs and types into checkseapp.

To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.

(cherry picked from commit 696a66ba)

Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change the final error message to be consistent with the others.

From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server

To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"

(cherry picked from commit efebf97e)

Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit 25528cf4)

Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Address the following denial from 3rd party voice interaction test:
SELinux : avc:  denied  { find } for service=voiceinteraction pid=30281 uid=10139 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0

Bug: 27105570
Change-Id: Ib87d364673cbc883df017bcda7fe1e854a76654f

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215

update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file

Also track the name change of the native binder service.
avc:  denied  { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09
(cherry picked from commit 3ec34ceb)

The zygote is reponsible for moving ART A/B OTA artifacts over to
the regular dalvik-cache.

Bug: 25612095
Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.

Keep untrusted_app file creation to sandbox, sdcard and media
locations.

Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit bd0768cc)

Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887

am: 52719ea5

* commit '52719ea5':
  Add SELinux label for app fuse.

am: e3965aa2

* commit 'e3965aa2':
  Add SELinux label for app fuse.

Change-Id: I5863c56a53419d2327ab62a7189034711cda7fcc

am: eb3480b7

* commit 'eb3480b7':
  Allow domain to read proc dirs.

am: 8f611b6e

* commit '8f611b6e':
  Replace "neverallow domain" by "neverallow *"

am: abf31acb

* commit 'abf31acb':
  Allow domain to read proc dirs.

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc.  Many processes try
to read proc dirs, though.  Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3