am: 69fe5d07

Change-Id: Iaaea2aaeaba08869a8885c88e07c436196134d11

am: 81fb2363

Change-Id: I129acfbecd2b8bb840c4d4897dbcc43f2ed0d2e2

am: c55cf17a

Change-Id: I48f8bbfab4cdd36e6f1555919ff5d032c07af0a2

am: eedacf83

Change-Id: I4b23d564c6a4787180fea2c1530cc78808cbd0d0

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

Allow the otapreopt rename script to read file attributes. This is
being used to print the aggregate artifact size for diagnostic
purposes.

Bug: 30832951
Change-Id: Iee410adf59dcbb74fa4b49edb27d028025cd8bf9

The recovery flow for A/B devices allows to sideload an OTA downloaded
to a desktop and apply from recovery. This patch allows the "recovery"
context to perform all the operations required to apply an update as
update_engine would do in the background. These rules are now extracted
into a new attributte called update_engine_common shared between
recovery and update_engine.

Bug: 27178350

(cherry picked from commit d63084d3)

Change-Id: I1f3e1e83a21e37e09b69cd9c497f87b42b9cbeb1

am: 320a0f54

Change-Id: I6aec72f8175839f4fefeb50f86fedc4202c776b8

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e

avc: denied { read } for comm="generic" path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35" ino=1114120 scontext=u:r:drmserver:s0 tcontext=u:object_r:ringtone_file:s0 tclass=file

Change-Id: I40992733d779743be92c15a094d166a3df64a10f
Fixes: 30167454

(cherry picked from commit d743ddea)

avc: denied { search } for comm=73657276696365203139 name="app" dev="sda35" ino=770049 scontext=u:r:adbd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0

Bug: 30000600
Change-Id: I86958ebcca815ee1779f85fb425592493f40101a

Addresses the following denial:
     avc: denied { setsched } for pid=1405 comm="Binder:1094_3" scontext=u:r:system_server:s0 tcontext=u:r:bootanim:s0 tclass=process permissive=0

Maybe fix bug 30118894.

Bug: 30118894
Change-Id: I29be26c68094c253778edc8e4fef2ef1a238ee2e

Needed for legacy VPN access.

Note that ioctl whitelisting only uses the type and command fields
of the ioctl so only the last two bytes are necessary, thus 0x40047438
and 0x7438 are treated the same.

Bug: 30154346
Change-Id: I45bdc77ab666e05707729a114d933900655ba48b

For Retail Demo mode, we need to preload photos in
/data/preloads and allow regular apps to access the
photos returned by the media provider from the preloads
directory.

Bug: 29940807
Change-Id: Ic1061dac55ace1b125ae04b5b0c70aae9aa0c732

am: 479712b0

Change-Id: I926aa0ab56d0758e66a7fa9d01a8be70937baa67

(cherry-pick from commit 68d67a0f)

shell, system_app and logd access granted on debug builds only

Add logd.logpersistd as well

Bug: 28936216
Bug: 28788401
Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135

avc:  denied  { find } for service=drm.drmManager pid=4320 uid=1027 scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Arrange in alphabetical order.

Bug: 30112127
Change-Id: I6592497a937c6a6d2c7c3d444beba3db333f4852
(cherry picked from commit 24ad5862)

am: 4970997a

Change-Id: I709182baf77819cfcfda71bf1160cd4e1af8790d

bug: 30087072
bug: 29937024
Change-Id: I8bf3032b8455556ff5332f538f43aeb514d3b290

untrusted_app lost all of the domain_deprecated permissions in N,
including the ability to read asec_apk_file dirs.  This is used for
forward locked apps.

Addresses the following denials:
avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0

Bug: 30082229
Change-Id: I44119f218433b9009cf8d09d0ee5f8a13cc15dd9

Grant update_verifier the permissions to read /data/ota_package/
and the blocks on system partition.

The denial messages:
update_verifier: type=1400 audit(0.0:29): avc: denied { read } for name="care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1

update_verifier: type=1400 audit(0.0:30): avc: denied { open } for path="/data/ota_package/care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1

update_verifier: type=1400 audit(0.0:31): avc: denied { read } for name="sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1

update_verifier: type=1400 audit(0.0:32): avc: denied { open } for path="/dev/block/sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1

Test: On sailfish, update_verifier reads the blocks successfully during boot time.
Bug: 30020920

Change-Id: I10777c1e6ba649b82c4a73171124742edeb05997

avc:  denied  { find } for service=drm.drmManager pid=4320 uid=1027 scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Arrange in alphabetical order.

Bug: 30112127
Change-Id: I6592497a937c6a6d2c7c3d444beba3db333f4852

Vendor apps are usually not preopted, so A/B dexopt should pick
them up. update_engine is not mounting the vendor partition, so
let otapreopt_chroot do the work.

This change gives otapreopt_chroot permission to mount /vendor
into the chroot environment.

Bug: 25612095
Bug: 29498238
Change-Id: I5a77bdb78a8e478ce10f6c1d0f911a8d6686becb

The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.

Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.

Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

avc: denied { rmdir } for name="apps" dev="sda35" ino=38 scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0
avc: denied { rmdir } for name="demo" dev="sda35" ino=41 scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0

Bug: 28855287
Change-Id: Ia470f94d1d960cc4ebe68cb364b8425418acdbd4