Add policy for the perfprofd binder service.

For now, only allow su to talk to it.

Test: m
Change-Id: I690f75460bf513cb326314cce633fa25453515d6

These are device specific.

Bug: 70846424
Test: bugreport
Change-Id: Ic22c972f1b09988a8eccf0823dd0d87fc0c0a1f7

This will allow system_server to perfom path resolution on paths like:
/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc

Fixes this denial:
avc: denied { search } for pid=947 comm=system_server
name=800f000.qcom,spmi dev=sysfs ino=19891
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir permissive=0 b/68003344

Bug: 68003344
Test: walleye boots without the denial above.
Change-Id: Ib282395124c7f2f554681fcc713b9afe189f441c

Removing legacy rules. system_server now depends on Lights HAL (which
has its own domain) instead of /sys/class/leds.

Bug: 70846424
Test: sailfish boots; screen, flashlight work fine.

Change-Id: I6f116a599cab26ae71e45f462b33328bc8d43db5

Test: Built the policy for many devices.
Change-Id: Ic61023dc2d597865504d1a4bc955bd1bc973f83c

Vendor-specific app domains depend on the rules in app.te so they
must reside in public policy.

Bug: 70517907
Test: build
Change-Id: If45557a5732a06f78c752779a8182e053beb25a2
Merged-In: If45557a5732a06f78c752779a8182e053beb25a2
(cherry picked from commit 1f4cab8b)

CrossProfileAppsService allows apps to do limited cross profile
operations, like checking the caller package is installed in
the specified user. It is similar to LauncherAppsService in some sense.

Merged-In: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Change-Id: I26e383a57c32c4dc9b779752b20000b283a5bfdc
Fix: 67765768
Test: Built with ag/3063260. Can boot and verified those APIs are working.
(cherry picked from commit 6536c9e0)

Removes open, read, setattr permissions to sysfs_type.
Adds explicit permissions to:
sysfs_dt_firmware_android
sysfs_vibrator
sysfs_wake_lock

Bug: 65643247
Test: walleye boots without denials to sysfs_type.
Change-Id: I2e344831655c2c8e8e48b07ecce6a2704f2a206a

Bug: 63757906
Test: manual testing conducted
Change-Id: Id03413ce82b5646d4bceddc59e16c7d5ee5bc193

we are aiming to improve logging performance by having wifi hal
directly write to the flash.

Wifi hal need to be able to create, write, and delete files in
a directory. This will be restricted to userdebug and eng builds only.

Bug: 70170285
Test: compile, run on device
Change-Id: Id0cd317411f4c393d7529aa31b501046d7350edb

This reverts commit 5744cbdf.

Reason for revert: aosp_dragon-userdebug build broken

Change-Id: I5f8180273c32119ae9839f31610bbca37cd05c65

Test: manual testing conducted see if it interfere's with AOSP

Change-Id: If47a663557b2ebf825fc082edb838ae085ec66b3

Since /odm is an extension of /vendor, libs in /odm should be treated
just like the ones in /vendor.

Bug: 67890517
Test: none as we don't yet have /odm partition.
Change-Id: I5232baef769c7fa8c7641b462cfa1d7537d3cfdf

Bug: 70275668
Test: walleye builds, boots.
This change only expands the existing permissions, so shouldn't regress
runtime behavior.
Change-Id: I36e63f11d78998a88e3f8d1e6913e20762a359af

Allow init to create a serialized property_info file and allow all
processes to read it.

Bug: 36001741
Test: boot bullhead, walleye using property_info

Change-Id: Ie51d4c0f0221b128dd087029c811fda15b4d7093

Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06

This will allow bionic cts test to list network interfaces in
/sys/class/net.

Bug: 70537905
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=ifaddrs.getifaddrs_interfaces
Change-Id: Ie07425fc54f9101e911962142824697e64d2bc45

/odm partition is the extension of /vendor partition, so we should not
use system_file for it. Currently there is no ABI between vendor and
odm. We can use 'odm_file' when needed in the future.

Bug: 64240127
Test: boot a device
Change-Id: I4e8300d597aeeba60a255c8d114a54b24bc39470

Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.

[ 2918.409108] type=1400 audit(2327427.540:159): avc:  denied
{ search } for  pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied

[   54.035867] type=1400 audit(59206654.526:12): avc:  denied  { chown }
for  pid=330 comm="recovery" capability=0  scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a

Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197

We rely on vendors to label all dependencies of healthd/charger under
/sys/class/power_supply with sysfs_batteryinfo type.

Bug: 65643247
Bug: 32659667
Test: boots without denials from healthd, to sysfs_batteryinfo or to
sysfs_msm_subsys.
Test: charging with device turned off works without /sys denials.

Change-Id: I893f309ecad8a0caf7d0b81f5f945725907255c2

We already expect contents of /sys/class/net to be labeled as sysfs_net.
Also label the directory for consistensy since we usually label
/sys/class/foo directories as sysfs_foo.

Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: I9d28ab4baf71df99ae966276532f14684d1abca6

Follow along with updates in the selinux policy.

Test: m
Test: manual
Change-Id: I0dfc6af8fbfc9c8b6860490ab16f02a220d41915

Change-Id: Icfcf02a21dace99ab3f466de495db24a88127ad7
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>

Test: VTS
Bug: 69958777
Change-Id: I6db7dd9afc9c7f254a0233ff3144b02e48727038

Bug: http://b/63142920
Test: `make dist`
Change-Id: Iae363fd5e7181941408d3d75cbf248e651bc8b49