Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf5

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e

This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.

Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9

Disallowing other HALs access to video_device does not appear to be
enforceable.

(cherry picked from commit c26dd18a)

Bug: 37669506
Test: build policy. Neverallow rules are build time test and do not
      impact the policy binary.
Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

Bug: 35628284
Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f
Fix: 38233550
Test: Build and boot
Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f

Bug: 34766843
Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6
Fix: 38232801
Test: Build and boot
Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b

Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.

Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

New binder kernel changes extend the areas where
binder will set real-time scheduling priorities
on threads; to make sure the driver can correctly
determine whether a process is allowed to run
at real-time priority or not, add the capability
to the services that need it.

Bug: 37293077
Test: processes run at real-time prio on incoming
      real-time binder calls.

Change-Id: Ia4b3e5ecb1f5e18e7272bdaaad5c31a856719633

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device
Merged-In: I77d347c019ac93c3ba0d54ce50f0fdc243b04685

Change-Id: Ia0531f715ae5f8b2599153e54a11e9eb4ee47d4b

When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376

Whether a device is full Treble or not, omx should be able to
access vndbinder

Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e

Bug:  37713584
Test: With GtsMediaTestCases.apk installed, try:
      adb shell am instrument -w
      -e class 'com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC'
      'com.google.android.media.gts/android.support.test.runner.AndroidJUnitRunner'

Change-Id: Icc2066e9d9bbc5c020b6d694e9627487771ef35e

The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit ad41fa8d)

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

Test: gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC

bug:37548390
Change-Id: I9c2d446118d3a5f729730b75ec117954e383159b

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260

vr_wm functionality is moved in VrCore, so remove this service.

Bug: 37542947, 36506799
Test: Ran on device and verified there are no permission errors while in
VR
Change-Id: I37fd34e96babec2a990600907f61da8c358ecc89

Allow the services to do binder calls to system_server in order to check
for app permissions.

Bug: 37542947
Test: Compiled and ran on device ensuring no permission errors
Change-Id: If91895607eb118f689cf2e11c63945e9f83bf2a0

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 37152880
Bug: 37554633
Test: adb shell am hang --allow-restart
Test: adb shell dumpstate
Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295

This lets dumpstate obtain the list of currently registered HwBinder
services.

Test: adb bugreport -- no denials to do with dumpstate access to
      hwservicemanager list functionality.
Bug: 37554633

Change-Id: I95512168948ca45a0dd830c20922e3c776ffaf41

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31

Fixes warning:
system/sepolicy/public/install_recovery.te:14:WARNING 'unrecognized character' at token ''' on line 13335:
allow install_recovery vendor_file:file { { getattr open read ioctl lock } { getattr execute execute_no_trans } };'

Bug: 37105075
Test: Fugu policy builds without this warning.
Change-Id: I8f417c51a816f3983a918c7e36dd804c5b85543f

Currently ro.device_owner and persist.logd.security aren't accessible
without root, so "adb shell getprop" returns empty reply which is
confusing. Also these properties aren't seen from bugreport unless
their change happened recently.

Bug: 37053313
Test: manual, took bugreport and ran getprop after "adb unroot".
Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d

installd needs to check whether idmap is outdated or not compared to
vendor overlay file.

Test: building succeeded and tested on sailfish.
Bug: 37179531
Change-Id: I934c1ae39e3f806bca1e3d68cf8190addeebb499

Bug: 37542947
Test: Compiled and ran on device to ensure no access errors while in VR
Change-Id: Ia685676d82f1f10f2bd371a13879d00fe63a9ea6

This fixes

avc: denied { call } for comm="screencap" scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_graphics_allocator_default:s0 tclass=binder
  permissive=0

Bug: 37360953
Test: adb shell dumpstate -p -o <path>
Change-Id: Ia9387559e3ec1ba51b614bb9d24294fbbbd51b1a

Bug: 37485771
Test: sideloaded OTA through recovery on sailfish

Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701
Signed-off-by: Sandeep Patil <sspatil@google.com>

The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

(cherry-picked from commit 1103f963)

Change-Id: I3cf810ef5f4f4462f6082dc30d3a7b144dcce0d9

hal_client_domain no longer allows read dir permission, in order
to load .so from /system/lib, we have to add this permission ourselves.

bug: 37476803
Change-Id: I1711d158c2f4580f50ac244da10c489df003cc18

Permit mediaextractor its own file source for apk and ringtone files.

Previously we fall back to the mediaserver file source.
This does not affect behavior as the fallback works fine; however,
the log messages may cause confusion.

    [73402.683908] type=1400 audit(1491338955.878:121): avc: denied { read }
    for pid=18381 comm="generic"
    path="/data/system_de/0/ringtones/alarm_alert_cache" dev="sda35"
    ino=2490374 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
    [73402.683932] type=1400 audit(1491338955.884:122): avc: denied { read }
    for pid=18383 comm="generic"
    path="/data/system_de/0/ringtones/ringtone_cache" dev="sda35"
    ino=2490376 scontext=u:r:mediaextractor:s0
    tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0

Test: Ringtone and CTS
Bug: 37500781

Change-Id: Ie6d8e6d2b7301d00957733f173aeebbe9d0d1998

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd