Bug: 36899958
Test: Builds 'n' boots.
Change-Id: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
Merged-In: I5836a18f9d0a9a976dda7304045e3b9e1e84565e
(cherry picked from commit c0713e86)

If cppreopts.sh failed to copy files for some reason it would leave
the temporary files sitting around in the data directory. This changes
the selinux rules so that cppreopts is able to get rid of these
temporary files.

Test: phone boots.
Bug: 63995897
Change-Id: I2a7e654c3a3cee7c9f0be8ba64e40c365eee4cfe

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/



Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>

Some selinux build packages are defined in embedded.mk,
others are defined in system/sepolicy/Android.mk. Move all
to sepolicy as a dependency of the phony package selinux_policy
which is defined in embedded.mk.

Test: build Marlin (Treble) and Angler (non-Treble)
Merged-In: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6
Change-Id: Ib0443ad3da600447fbb51f2e9f91de04dcf5f9f6

am: d90d976e

Change-Id: Id7dc23f6b1c401f350736585222a9e29bf5e3876

am: 109ee5f9

Change-Id: I47562c12713809970d8531b453f08de74c53466f

Denial message:
avc: denied { write } for pid=640 comm="update_verifier" name="kmsg"
dev="tmpfs" ino=13951 scontext=u:r:update_verifier:s0
tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Bug: 64713327
Test: update_verifier logs successfully during boot time.
Change-Id: I421b1e6660239e5ffc624e504f5945d400510407

This is a Qualcomm proprietary service,
and does not belong here.

Test: boot Marlin
Bug: 63391760
Merged-In: If7469051f6cef3e2440f7021ae26c9815ff54820
Change-Id: If7469051f6cef3e2440f7021ae26c9815ff54820

am: 6b780b35  -s ours

Change-Id: I61d2951d682b236e7643b7b81eb5c52f84024950

Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7

Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7

am: 94e2a921

Change-Id: I3cb9bd4305fe3f6d720f757a232d4bb38de98895

Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I6ffe11bc613e88198893e82712719522b74fe1be

am: 7a463809

Change-Id: Iba80938afccd21f0c3b69626223b35c672358e77

Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90

am: 4b547a15

Change-Id: Id5b85ec29220cdbc15aab72ddf4dfbd2d4ef2fc7

Fix the following warnings:

system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by '__s1'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:346:9: warning:
Potential leak of memory pointed to by 'id'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'classperms'
system/sepolicy/tools/sepolicy-analyze/neverallow.c:364:13: warning:
Potential leak of memory pointed to by 'node'

Bug: b/27101951
Test:Warnings are gone.
Change-Id: Ib9b2e0b9f19950b4b764d438ee58340e6c022ef5

am: df964950

Change-Id: I5e793a78ad471b27fdc0bb88596ab23f6ac43dc4

type=1400 audit(1501520483.066:14): avc: denied { write } for pid=3330
comm=4173796E635461736B202331 name="property_service" dev="tmpfs"
ino=10749 scontext=u:r:nfc:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Test: No sepolicy denials
Bug: 64010793
Change-Id: I8d73e8e19cd4d0a8c61f1f184820c53e5cc2b6d6

am: 5c41d40e

Change-Id: I6a60af407a6a95e3d48818de28619dc5ba44284f

The only file in /proc/<pid>/ that is world writeable is
/proc/<pid>/timerslack_ns so granting selinux write permission to
a process's /proc/<pid>/ file only allows writing to timerslack_ns
(unless the process is running as system UID).

Addresses denials such as:
avc: denied { write } for comm="Binder:1117_2" name="timerslack_ns"
dev="proc" ino=27908 scontext=u:r:system_server:s0
tcontext=u:r:priv_app:s0 tclass=file permissive=1

Bug: 30675296
Test: build
Change-Id: I2cee8ce73a0dc05d771881c36da2fde5411859fb

am: f1b06df3

Change-Id: I0d98e192600c94f983d7b0347715e2ba6a8b8dab

long live domain.te!

Remove all references.

Bug: 28760354
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a

am: bfbe96ac

Change-Id: I12a2ed20022edf9da528f0ab5941cc5df8e418ab

am: 275f6dd5

Change-Id: I02b2eb1a5bbd0cf3a4bbeffbe70e442ba4cf8ee6

avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0
avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0
avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0
avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0

Bug: 62410287
Bug: 35350306
Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02
Signed-off-by: Tim Kryger <tkryger@google.com>

Clean up the remaining granted permissions in domain_deprecated.

avc: granted { read open } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17591 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { getattr } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/compatible"
dev="sysfs" ino=17583 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file

vc: granted { read open } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab" dev="sysfs"
ino=17258 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17259 scontext=u:r:update_engine:s0
tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: Id318ce84894c1001361923f5205de093a15c1e6a

am: 4fc64f2f

Change-Id: I7dd6ea7bb5d767afb98a39e56214dd05d4585c93

Test: Built.
Change-Id: Ia5f5b52e10e9411cd87901053675d9e77a622529

Test: I solemnly swear I tested this conflict resolution.

Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5
Change-Id: I1f087fe5e7a71761a16673331619f52998473b44

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f