"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

(cherry picked from commit cd97e710)

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

This CL changes the policy for ASAN files on-disk to support the
changes made by the following CLs -
https://android-review.googlesource.com/#/c/359087/
https://android-review.googlesource.com/#/c/359389/

which refactor the on-disk layout of sanitized libraries in the following
manner -
/data/lib* --> /data/asan/system/lib*
/data/vendor/* --> /data/asan/vendor/*

There are a couple of advantages to this, including better isolation
from other components, and more transparent linker renaming and
SELinux policies.

(cherry picked from commit 33ebdda8)

Bug: 36574794
Bug: 36674745
Test: m -j40 && SANITIZE_TARGET="address" m -j40 and the device
boots. All sanitized libraries are correctly located in /data/asan/*,
and have the right SELinux permissions.

Change-Id: Ib08e360cecc8d77754a768a9af0f7db35d6921a9

Bug: 33239267
Test: compile, run wifi, no selinux complaint for wificond
Change-Id: I9b3e874381ac6cd7c6ff1058cc4f313bd85481b8

/data/misc/zoneinfo is provided by libc and is considered to be
VNDK stable. Grant read access to all domains and exempt from
neverallow rules asserting no vendor access to core data types.

Bug: 36730929
Test: Marlin Policy builds
Change-Id: I13766a661d6314f5393639fc20f1ab55d802f35f

Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153

(cherry picked from commit cf2ffdf0)

Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e

VR HWC is being split out of VR Window Manager. It creates a HW binder
interface used by SurfaceFlinger which implements the HWComposer HAL and
a regular binder interface which will be used by a system app to receive
the SurfaceFlinger output.

Bug: b/36051907
Test: Ran in permissive mode and ensured no permission errors show in
logcat.

Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae

This removes access to
* contexthub_service
* device_policy_service
* ethernet_service
* fingerprint_service
* shortcut_service
* trust_service
* usb_service

Test: cts-tradefed run commandAndExit cts-dev -m
CtsAppSecurityHostTestCases -t
android.appsecurity.cts.EphemeralTest
Bug: 33349998

Change-Id: Iad9302041d7674ae6ebeb1c559c64d13df62c304

the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d

Runas/libselinux needs access to seapp_contexts_file to determine
transitions into app domains.

Addresses:
avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts"
dev="rootfs" ino=9827 scontext=u:r:runas:s0
tcontext=u:object_r:seapp_contexts_file:s0 tclass=file

Bug: 36782586
Test: Marlin policy builds
Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313

Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf

Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7

Test: denials go away
Change-Id: I103cf3ad8d86b461bcba8edce02f6202fd2bcbe8

* changes:
  mac_permissions: explicitly label all mac_permissions files
  sepolicy: explicitly label all sepolicy files
  seapp_context: explicitly label all seapp context files
  file_context: explicitly label all file context files
  service_contexts: label service_contexts explicitly
  prop_context: correctly label all property_context files

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I949d62b3528cadb4bfe6f5985c25d1f497df0d5a

As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895

We don't want to prevent access from vendor platform apps to system app
data. The issue with the referencing system_app explicitly in
neverallows is that vendor platform apps which need sandboxes similar to
system_app cannot be placed under system_app without modifying the
policy for all platform apps.

Test: mmm system/sepolicy
Change-Id: Ic0052602c31be4d74b02eeea129e2d8bfbd9c8d3

W Binder:538_2: type=1400 audit(0.0:9): avc: denied { getattr } for path="/data/media/0/Qtc88.mp4" dev="dm-0" ino=678654 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=0

W generic : type=1400 audit(0.0:9): avc: denied { read } for path="/data/media/0/Qtc88.mp4" dev="dm-0" ino=678654 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=0

Test: Photos, Play Music, Play Movies, Youtube
Bug: 29125703
Change-Id: If84ab43b934944abf4c416db751ab6694835df83

*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>