Bug: 109653662
Test: Build policy.
Change-Id: I6c71a8bc24d7a144b801d16f1bcad31fb8f2aba5

Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid

Instant apps should also be excluded from access.

Fixes: 92796393
Test: make -j cts_instant
    cts-instant-tradefed run commandAndExit cts-instant-dev \
    -m CtsPermissionTestCases \
    --test android.permission.cts.FileSystemPermissionTest

Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457

This was defined, but it had no users in the Android tree.
Because of this, ODM manifests required extra sepolicy to be applied
in vendor. Before this, there was no policy split, so that was okay,
but now it is impossible.

Bug: 91735839
Test: add an odm manifest for SE conditional on
    a system property (ro.boot.product.hardware.sku)
    and make sure it is read into the manifest (using
    the vintf tool) and also that a client can get the
$ lshal | grep secure
Y android.hardware.secure_element@1.0::ISecureElement/SIM1                                  0/2        881    2262 567

Change-Id: I94a2928943be6a17416b8bbd78106809c0c21198

And ro.kernel.android.bootanim (used to en/disable boot-anim)

Bug: 79941736
Test: Manual
Change-Id: Ib486903dec92df88b4d33bad6262cbcfc2aa1c4c

Bug: 80466516
Bug: 78598545
This reverts commit 6f6fbebc.

Change-Id: I3c0f374b846241571b5db6f061503f0ea2d6396a

We are not forbidding system_writes_vendor_properties_violators in P,
i.e. this neverallow rule is not strictly enforced.

Bug: 80466516
Bug: 78598545
Test: build policy
Change-Id: Iaf0ebbd2b27adf8c48082caa874e53f32bf999fc

The attribute is used to capture system properties added from outside of
AOSP (e.g. by OEM), but are not device-specific and thus are used only
inside the system partition.

Access to the the system properties from outside of the system partition
is prevented by the neverallow rule.

Bug: 80382020
Bug: 78598545
Test: m -j selinux_policy
Change-Id: I22c083dc195dab84c9c21a79fbe3ad823a3bbb46

Using hal_foo attributes in neverallow rules does not work because
they are auto-expanded to types. Use hal_foo_server types instead.

Fixes the following error:
unit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule: neverallow
{ domain -coredomain -bluetooth -hal_bluetooth } { bluetooth_prop }:
property_service set; Warning! Type or attribute hal_bluetooth used
in neverallow undefined in policy being checked.

Test: CtsSecurityHostTestCases
Bug: 80153368
Change-Id: I2baf9f66d2ff110a4f181423790a1160a6e138da

Bug: 79524845
Test: Boot device and see no denials.
Change-Id: I9316bfd0e3718818a7613a421aedff7da8c87108

Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions

Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa

Bug: 77816522
Bug: 73947096

Test: Flashed device, no denial seen
Change-Id: Ib2f1fc670c9a76abbb9ff6747fec00fa5bcde5af
(cherry picked from commit 62913dbf)

apns downloaded will enter a new directory that
TelephonyProvider can access.

Bug: 79948106
Test: Manual
Change-Id: I1e7660adf020dc7052da94dfa03fd58d0386ac55
Merged-In: I1e7660adf020dc7052da94dfa03fd58d0386ac55

The 'sync' tracepoint was updated to be 'fence' in kernel 4.9, so this
change also adds that one to the list.

Bug: 79935503
Test: Took a trace using 'sync' in user mode and saw the tracepoints
being saved.

Change-Id: I793c6f54cd9364f33853983f8c5dfb28b98c2708

This is needed when ueventd needs to read device tree files
(/proc/device-tree). Prior to acccess, it tries to read
"androidboot.android_dt_dir" from kernel cmdline for a custom
Android DT path.

Bug: 78613232
Test: boot a device without unknown SELinux denials
Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
(cherry picked from commit 98ef2abb)

Test: booted metadata-encrypted device
Bug: 79781913
Change-Id: Ib4cb4a04145e5619994083da055f06fe7ae0137a

This allows Android Keystore to statically register support for 3DES
during zygote initialization based on the device's support for hardware
backed 3DES keys.

Bug: b/79986680
Test: keystore CTS
Change-Id: Ic9a6653cdd623a3ab10e0efbcdb37c437e6c59b9

System properties can be abused to get around Treble requirements of
having a clean system/vendor split.  This CL seeks to prevent that by
neverallowing coredomain from writing vendor properties.

Bug: 78598545
Test: build 2017/2018 Pixels
Test: build aosp_arm64
Change-Id: I5e06894150ba121624d753228e550ba9b81f7677

to workaround some VTS VtsKernelLtp failures introduced by
change on vfs_iter_write here:
https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3

for discussion please check threads here:
https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html



Sandeep suggest to re-order the events in that thread,
that should be the right solution,
this change is only a tempory workaround before that change.

Bug: 79528964
Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit

Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit 64ff9e95)
Merged-In: I3f46ff874d3dbcc556cfbeb27be21878574877d1

For automotive (and I assume for other verticals) it make sense to keep
vertical-specific policies outside of /system/sepolicy as those not used
by the phones. However, there's no way to do it rather than using
BOARD_PLAT_{PUBLIC|PRIVATE}_SEPOLICY_DIR build variables.

Bug: 70637118
Test: lunch bat_land-userdebug && m
Test: verify it builds, boots and logs seems to be reasonable
Test: enable full treble for aosp_car_x86 - verify it builds, boots and
no denials in the logs

Change-Id: Ia5fd847f7a6152ff6cf99bbbc12e1e322f7946ab

Mtp needs access to this path in order to
change files on an sdcard.

Fixes denial:

05-14 17:40:58.803  3004  3004 W MtpServer: type=1400 audit(0.0:46):
avc: denied { search } for name="media_rw" dev="tmpfs" ino=10113
scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
b/77925342 app=com.android.providers.media

Bug: 77849654
Test: no denials using mtp with emulated sdcard
Change-Id: I27b5294fa211bb1eff6d011638b5fdc90334bc80

Add an exemption to neverallow rule to use sockets from HAL servers only
for automotive build

Bug: 78901167
Test: assign this attribute to hal_vehicle_default and try to open
socket from HAL implementation
Test: verify that new CTS test will fail for non-automotive build with
this attribute buing used
Test: make cts && cts-tradefed run singleCommand cts --skip-device-info
 --skip-preconditions --abi arm64-v8a --module CtsSecurityHostTestCases
 -t android.security.cts.SELinuxHostTest

Change-Id: I27976443dad4fc5b7425c089512cac65bb54d6d9