Bug: 25861755
Test: Boot device, create user, create files, remove user, observe logs
Change-Id: I195514eb45a99c1093998786ab385338463269c0
Merged-In: I195514eb45a99c1093998786ab385338463269c0
(cherry picked from commit eb7340d9)

Don't allow apps to run with uid=shell or selinux domain=shell unless
the package is com.android.shell.

Add a neverallow assertion (compile time assertion + CTS test) to ensure
no regressions.

Bug: 68032516
Test: policy compiles, device boots, and no obvious problems.
Change-Id: Ic6600fa5608bfbdd41ff53840d904f97d17d6731

The use of SIOCATMARK is not recommended per rfc6093.

This ioctl is not currently allowed on Android. Add a neverallowxperm
statement (compile time assertion + CTS test) to ensure this never
regresses.

Bug: 68014825
Test: policy compiles.
Change-Id: I41272a0cb157ac9aa38c8e67aabb8385403815f9

This is to simplify access for hal_audio

Test: ls -Z in /proc/asound correctly shows everything with proc_asound
selinux label

Change-Id: I66ed8babf2363bee27a748147eb358d57a4594c4

Access to /sys/class/android_usb/ was lost when that dir received a new
label sysfs_android_usb.

Bug: 65643247
Test: can enter recovery mode and sideload through usb  without denials to /sys
Change-Id: I22821bab9833b832f13e0c45ff8da4dae115fa4d

Code review of:
  - https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/512420/

had some comments. These were addressed and upstreamed here:
  - https://github.com/TresysTechnology/refpolicy/commit/65620e0f94541195fed45f34d4fc1218b4e0d6f3



Bring these changes back into the AOSP tree.

Test: verify that output sorted device files did not change hashes when built.

Change-Id: I7f07d3f74923cf731e853629034469784fc669f7
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I5df432c6d2f7ee19db89f44fbe3adec2bbcc0b41

This file is necessary for using an mr1 system image in conjunction
with an oc-dev vendor image.  This is currently needed by GSI testing,
for example.

(cherry-pick of commit: 03596f28)

Bug: 66358348
Test: File is included on system image.
Change-Id: Ie694061d08acf17453feb596480e42974f8c714c

Reason: breaks "Ok google". Soundtrigger module needs to access /proc/asound/pcm.

This reverts commit 5cccb249.

Bug: 67930353
Change-Id: I67e0912a6795b3715a3321d3fe5147f49cebc9b5

Now hwservicemanager can send ctl.interface_start messages
to init.

Note that 'set_prop(ctl.*, "foo")' maps to property context
for ctl.foo.

Bug: 64678982
Test: hwservicemanager can start interfaces
Change-Id: I9ab0bacd0c33edb0dcc4186fa0b7cc28fd8d2f30

Addresses the following test failure:
system/extras/tests/kernel.config/nfs_test.cpp:24: Failure
Value of: android::base::ReadFileToString("/proc/filesystems", &fs)
Actual: false
Expected: true

Denial:
avc: denied { read } for name="filesystems" dev="proc"
scontext=u:r:shell:s0 tcontext=u:object_r:proc_filesystems:s0
tclass=file

Bug: 67862327
Test: build
Change-Id: I9ada5404987cb474968afc8cb8d96137ee36c68d

As part of Treble, enforce that the communication between platform
and vendor components use the official hw binder APIs. Prevent sharing
of data by file path. Platform and vendor components may share
files, but only via FD passed over hw binder.

This change adds the violators attribute that will be used to mark
violating domains that need to be fixed.

Bug: 34980020
Test: build
Change-Id: Id9acfbbc86bfd6fd0633b8164a37ce94d25ffa2c

rw access to sysfs_power file is not enough; in some cases search access
is also needed

Bug: 67895406
Test: system_server can access memory power statistics
Change-Id: I471e8e60626e6eed35e74e25a0f4be470885a459

Bug: 25861755
Test: Boot device, observe logs
Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900
Merged-In: I6c13430d42e9794003eb48e6ca219b874112b900
(cherry picked from commit 47f3ed09)

This change allows wpantund to call any binder callbacks that have
been registered with it. Generally, only privileged apps are allowed
to register callbacks with wpantund, so we are limiting the scope for
callbacks to only privileged apps. We also add shell to allow the
command-line utility `lowpanctl` to work properly from `adb shell`.

Bug: b/67393078
Test: manual
Change-Id: I64c52cc5e202725a81230dc67e1cd7c911cf8e1c
(cherry picked from commit 17319cb3)

Bug: b/64399219
Test: Manual
Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
(cherry picked from commit c8bd93d7)

As a consequence, hal_audio_default (and any domain with hal_audio attribute)
loses access to proc label.

Bug: 65643247
Test: sailfish boots, can play sound through speakers and headset
(3.5mm, usb, and bluetooth) without denials from hal_audio to proc.
Test: VtsHalAudioEffectV2_0Target
Test: VtsHalAudioV2_0Target

Change-Id: I3eead5a26ef36b8840d31c5e078f006b0c2266a3

Update to commit:
  - https://github.com/TresysTechnology/refpolicy/commit/5490639ac99fcfa062a0b9825a111b9392a2da34



This solves all reported clang analyzer issues and is inline with upstream.

Test: veerify that md5sum of output files do not change.

Change-Id: I942145b8f9748c8ecd185f730c94d57cb77f5acc
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.

Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
      manual: marlin and <redacted> with artificially low temperature
      threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629

Dontaudit denials for services that system_app may not use due
to neverallow assertions.

Bug: 67779088
Test: build
Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72

This denial should not be allowed. Add bug information to the denial
to give context.

Bug: 63801215
Test: build
Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8

Addresses:
avc: denied { search } for comm="sh" name="bms" dev="sysfs" ino=47908
scontext=u:r:shell:s0 tcontext=u:object_r:sysfs_batteryinfo:s0
tclass=dir

Test: build
Change-Id: I8a0197417c47feefba084e9c75933d28c5f6e5f1

New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons

Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons

Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.

Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5