It should instead write to /data/vendor/wifi.

Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
(cherry picked from commit cc9b30a1)

Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8bf14466b6431a21bc5ccd4bf6ca3ea)

This reverts commit 016f0a58.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2

/odm partition isn't mandatory and the following symlinks will exist on
a device without /odm partition.

  /odm/app ->/vendor/odm/app
  /odm/bin ->/vendor/odm/bin
  /odm/etc ->/vendor/odm/etc
  /odm/firmware ->/vendor/odm/firmware
  /odm/framework ->/vendor/odm/framework
  /odm/lib -> /vendor/odm/lib
  /odm/lib64 -> /vendor/odm/lib64
  /odm/overlay -> /vendor/odm/overlay
  /odm/priv-app -> /vendor/odm/priv-app

This CL allows all domains to access the symlinks, also removes the
Treble compliance neverallows on them because the actual restrictions
should apply to the real path directly.

Bug: 70678783
Test: boot a device
Change-Id: If1522780a13710d8a592272dc688685cbae29f52
(cherry picked from commit dd6efea2)

This reverts commit eeda6c61.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1

Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e

For now, persist.rcs.supported has only vendor-init-settable, but it
turned out that the property should be read by vendor components in
some devices including 2018 Pixels.

Bug: 74266614
Test: succeeded building and tested on a blueline device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true

Change-Id: I926eb4316c178a39693300fe983176acfb9cabec

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)

Sub directories under /odm (or /vendor/odm when there isn't an odm
partition) are labeled so that artifacts under the sub directories are
treated the same as their counterpart in the vendor partition.

For example, /odm/app/* is labeled as vendor_app_file just like
/vendor/app/*.

Bug: 71366495
Test: m -j

Merged-In: I72a14fd55672cd2867edd88ced9828ea49726694
Change-Id: I72a14fd55672cd2867edd88ced9828ea49726694
(cherry picked from commit 2f101551)

When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.

Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant.  This restores that one and
adds it to the neverallow check.

Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.

Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae

Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
(cherry picked from commit ea3cf000)

Bug: 72177715
Bug: 72384374
Test: flash device and make sure incidentd is getting data without SELinux denials
Change-Id: I684fe014e19c936017a466ec2d6cd2e1f03022c0
(cherry picked from commit 06ac7dba)

Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef

This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

Update sepolicy permission to allow hostapd to setup
socket for socket based control interface.

Sepolicy denial for accessing /data/vendor/wifi/hostapd/ctrl:
02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:36):
avc: denied { create } for name="ctrl"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.186  3068  3068 I hostapd : type=1400 audit(0.0:37):
avc: denied { setattr } for name="ctrl" dev="sda35" ino=131410
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=dir permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:38):
avc: denied { create } for name="wlan0"
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

02-23 12:32:06.190  3068  3068 I hostapd : type=1400 audit(0.0:39):
avc: denied { setattr } for name="wlan0" dev="sda35" ino=131411
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:hostapd_data_file:s0 tclass=sock_file permissive=1

Bug: 73419160
Test: Manual check that softAp works
Change-Id: I2e733e168feceeab2d557f7704832c143e352375

am: 66adf0cd

Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b

am: caf0139b

Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1

am: 1d401545

Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours am: a0fac585  -s ours
am: 8ded6f42  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours
am: a0fac585  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3

am: 1ee556ed  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9
am: 0bba3d44  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0
am: a401c9f9

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e

am: b7602d76

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98