am: 34b4b737

Change-Id: If25147ce3439abd0ab4a3abc1e330b373e43d9cb

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

am: a34781ae

Change-Id: Ic4103ff418e69f000198bb588f0cfccc578ba324

tombstoned allows dumpstate to install "intercepts" to java trace
requests for a given process. When an "intercept" is installed, all
trace output is redirected to a pipe provided by dumpstate instead
of the default location (usually in /data/anr or /data/tombstone).

Note that these processes are already granted "write" and "getattr"
on dumpstate:fifo_file in order to communicate with dumpstate; this
change adds "append" to the existing set of permissions.

Bug: 32064548
Test: manual
Change-Id: Iccbd78c59071252fef318589f3e55ece51a3c64c

am: e628cb5b

Change-Id: If2ce6fbf2b897d58da78430a7bae0fd6fb6e5a49

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

am: c3f4afef

Change-Id: I8810383b62d3c678c289867a0e17732242ee6679

am: 9ac5d01f

Change-Id: I31b6b74e498efd2a6f6795f91d6a39a000886061

This reverts commit a015186f.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46

SELinux : avc:  denied  { find } for service=vrmanager pid=2364 uid=1027
scontext=u:r:nfc:s0 tcontext=u:object_r:vr_manager_service:s0
tclass=service_manager permissive=0

Test: manual
Bug: 35889571
Change-Id: If95bb5c286def99a0439b36a31b52fa9dfd4a2f4
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

am: 4a608d31

Change-Id: I1ac7b6ddaa3f6c7ee88426cf5ec6e6dec7bc8767

Fix the following denial:
    avc: denied { append } for pid=1093 comm="mediaextractor" path="pipe:[68438]" dev="pipefs" ino=68438 scontext=u:r:mediaextractor:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 ppid=1 pcomm="init" pgid=1 pgcomm="init"

Bug: http://b/38444258
Test: none
Change-Id: I58162e3a28b744a58396e77d6b0e2becb5633d6a

am: de5db3ab

Change-Id: If61aa850ab0f6060ec7a863cc0107f68f1db9400

Test: manual
Bug: 37014702
Change-Id: Id43dc7a8506fe60015c2f82242ba45cf85d3e74b

am: e3be5d6b

Change-Id: I6f3544a3803217bd6380ebb9d7d0b84c403e60c2

am: c4055f0d

Change-Id: I4f307d49476c1e84d8dd17d02f383d7c10a959fc

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

am: fcfda81b

Change-Id: Iefe805a99749c29865b7f871cd4fc3fe11e1e536

This reverts commit 8c60f74d.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c

am: 216b377d

Change-Id: I2ff6397f145424266cd1091e338323cff283397c

Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.

Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.

Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478

am: ce5ca4d0

Change-Id: I7f9cfa0a144ddfd796897446990f2b61108755c1

This is needed for devices using configfs, where init listens for
sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts
sideloading, minadbd (forked from recovery) sets the property to trigger
that action.

avc:  denied  { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0
scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
tclass=property_service

Bug: 35803743
Test: Device shows up in sideload mode.
Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4

am: c895f278

Change-Id: I49f55fba41b5242c7c4f36652afe9fee4808a349

Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58

am: 611202ef

Change-Id: If107d1d43e9247be68065d711f471e538830ee18

am: ca0a352a

Change-Id: If463e73dce4db829206a4907a5fa12bfbe347fb9

am: 07667733

Change-Id: I0263926bbc950f0186bdd9a7fa3eb8b8f9072ee0

am: 9686cbcd

Change-Id: Id0bacbd2022c24615b9e99108af1a8510be248fb

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions.  Here we add socket setopt
to selinux rules.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f