This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>

The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e

Bug: 30561479

Test: Booted on walleye and verified that read denials of the property
Test: do not generate warnings.
Change-Id: I61a4a7d3a360a6d27d8986eb8f3f9662272233b1
(cherry picked from commit 2f35f5ca)

Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791

This reverts commit fad0b04d.

Reason for revert: This change crashed facebook App on dogfood build.

Bug: 72977484
Change-Id: I4f35b00c11afbd4914f572d3cc0378d740403ed2

Bug: 69390067
Bug: 72757373
Test: build sepolicy
Change-Id: I44aeb547ff7ab7042eddfa780df8cbb7dcec71b4

llkd needs the ability to forcibly crash the kernel if
cause is unlikely to result in an orderly shutdown. It
also needs to scan /proc/<pid> for additional process
information.

Test: lmkd_unit_test --gtest_filter=llkd.*
Bug: 33808187
Change-Id: I7f158a13814e79d5ec71fe90dbc7461abb521945

The feature of compatible property has its own neverallow rules and it
is enforced on devices launchig with Android P.

This CL changes hal_nfc to hal_nfc_server in neverallow rules because
sepolicy-analyze doesn't recognize it. Additionally one more neverallow
rule is added to restrict reading nfc_prop.

Bug: 72013705
Bug: 72678352
Test: 'run cts -m CtsSecurityHostTestCases' on walleye with
ro.product.first_api_level=28

Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671

This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5)

Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448

aosp/605217 adds the following lines:
genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0

However, the m4 pre-processing step of selinux policy compilation outputs:
genfscon tracefs /options/-tgid u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/options/-tgid u:object_r:debugfs_tracing:s0

And as a result of the "print" it prints:
m4: system/sepolicy/private/genfs_contexts: 177:
m4: system/sepolicy/private/genfs_contexts: 203:

Due to the following macro:
https://android.googlesource.com/platform/system/sepolicy/+/oreo-mr1-dev/public/te_macros#580

This change removes the now-deprecated print macro to unblock
aosp/605217.

Bug: 72862003
Test: verify that the m4 output for aosp/605217 is correct.
Change-Id: Ia4ec96e16b98e8df241cceb64e3f3b7bea9a7f3d

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26

Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.

Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331

This CL will allow only specific components to read radio_prop.

Bug: 72459527
Test: tested with walleye
Change-Id: I6b6c90870987de976187ff675005c5d964b48cda

Allow external camera HAL to monitor video device add/removal.

Bug: 64874137
Change-Id: I1a3116a220df63c0aabb3c9afd7450552e6cd417

Remove the untrusted apps and priviledged apps from the group that can
directly access xt_qtaguid module related file. All apps that need to
access app network usage data need to use the public API provided in
framework.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with either wifi is on or off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsNativeNetTestCases
Bug: 68774956 30950746

Change-Id: I9b3db819d6622611d5b512ef821abb4c28d6c9eb

Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd45479)

Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102

vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6

This neverallow exception is not needed.

Bug: 62875318
Test: build walleye, bullhead
Change-Id: Ide37ef9fe7a0e1cc4a1809589f78052007698cf5

The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files.  The correct restriction is to restrict 'set'
for 'property_service' as this change does.

Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.

Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09

We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9

Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15

Now that the vendor_init mechanism is in place, this SELinux
restriction will disallow vendor init scripts from touching core data
files as intended with Treble.

Bug: 62875318
Test: None
Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d

Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d

And remove a redundant rule.

Test: sesearch shows no changes to vold's sepolicy.
Change-Id: Icccc18696e98b999968ecbe0fb7862c35575a9b3

This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474

so we can dlopen the libraries that are there

Test: build&run

Merged-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Change-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3

Add sepolicy rules to grant wificond permission to use SIOCSIFHWADDR
ioctl. This permission is needed to dynamically change MAC address of
the device when connecting to wifi networks.

Bug: 63905794
Test: Verified manually that wificond can dynamically change MAC
address.

Change-Id: If2c6b955b0b792f706d8438e8e2e018c0b4cfc31

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

Test: atest cts/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
Change-Id: Id9adcec4db2e55f2e41ebd1b018ebc40aa0be404

Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36

These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.

Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2

Sepolicy for the usb daemon. (ag/3373886/)

Bug: 63669128
Test: Checked for avc denial messages.
Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af