am: 9ba8ade5

* commit '9ba8ade5':
  Fix MTP sync

Address the following denial:
avc: denied { use } for path="/storage/emulated/0/305512.pdf" dev="fuse"
ino=239 scontext=u:r:kernel:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=fd
permissive=0

Bug: 25068662
Change-Id: Ic29d9569ff387dfd411363db751c3642572c8e85

am: 7b8f9f15

* commit '7b8f9f15':
  audit untrusted_app access to mtp_device

am: 0fc831c3

* commit '0fc831c3':
  Temporarily downgrade to policy version number

android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.

Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4

* commit '1b52ad6b':
  grant priv_app access to /dev/mtp_usb

android.process.media needs access to mtp_usb when MTP is enabled.

Bug: 25074672
Change-Id: Ic48a3ba8e4395104b0b957f7a9bad69f0e5ee38e

* commit 'a910a287':
  Remove untrusted_app access to tmp apk files

Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251

Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.

Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d

* commit '7f09a945':
  Policy for priv_app domain

Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835

* commit '734e4d7c':
  Give services app_api_service attribute

avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496

* commit 'b1eced68':
  grant webviewupdate_service app_api_service attribute

avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a

neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d

* commit '63613805':
  Privileged apps require access to cache

gmscore uses cache for updates

Bug: 24977552
Change-Id: I45a713fcfc70b71a2de712e77b64fb9feab67dd7

* commit '745b4406':
  bluetooth.te: Relax bluetooth neverallow rule.

Bug: 24866874

(cherry picked from commit 33a779fe)

Change-Id: I0a9d4a30859b384cb3621c80568ef9da06ad44f6

* commit '43cd0cce':
  allow shell self:process ptrace;

Allow the non-privileged adb shell user to run strace. Without
this patch, the command "strace /system/bin/ls" fails with the
following error:

  shell@android:/ $ strace /system/bin/ls
  strace: ptrace(PTRACE_TRACEME, ...): Permission denied
  +++ exited with 1 +++

Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee

* commit '1d2eaf92':
  Allow bluetooth to find the drmservice

* commit 'd62fac7d':
  Remove permissions for untrusted_app

* commit 'ee9c0b5f':
  Add priv_app domain to global seapp_context

Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.

Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be

Assign priviliged apps not signed with the platform key to the priv_app
domain.

Bug: 22033466
Change-Id: Idf7fbe7adbdc326835a179b554f96951b69395bc

* commit '26cdf1e0':
  neverallow: domain:file execute and entrypoint

* commit '82bdd796':
  system_server: (eng builds) remove JIT capabilities

23cde877 removed JIT capabilities
from system_server for user and userdebug builds. Remove the capability
from eng builds to be consistent across build types.

Add a neverallow rule (compile time assertion + CTS test) to verify
this doesn't regress on our devices or partner devices.

Bug: 23468805
Bug: 24915206
Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b

Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.

Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.

To prevent this, we add a neverallow.

Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>