Fast system -> lock wallpaper migration wants rename, not copy.

Bug 27599080

Change-Id: I4b07dff210fe952afb4675eecba3c5f7bf262e83

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Signed-off-by: Mihai Serban <mihai.serban@intel.com>

(cherry picked from commit d41ad551)

Change-Id: I26838a3a9bc19b341e7176e5dc614827232014bf

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507

(cherry picked from commit 50ba6318)

Change-Id: Ifab6e46a077a87629b4d3c7ada1050f2ab6931d5

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876

(cherry picked from commit 2c7a5f26)

Change-Id: I40c80fa62651a0135e1f07a5e07d2ef65ba04139

It doesn't make any sense for debuggerd to ever attempt to ptrace
itself. A debuggerd crash can't be debugged via debuggerd.

Bug: 28399663
Change-Id: I710d474e89d121385ef423b7bed9673a90e0759b

TIOCGWINSZ = 0x00005413

avc: denied { ioctl } for comm="ls" path="socket:[362628]" dev="sockfs" ino=362628 ioctlcmd=5413 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

Bug: 28171804
Change-Id: I460e2469730d0cd90d714f30803ef849317d4be7

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

bug: 22990512
Change-Id: I39baf6594cfcf56f5461ba54a7cdf6c9e161d834

The boot_control HAL is library loaded by our daemons (like
update_engine and update_verifier) that interacts with the bootloader.
The actual implementation of this library is provided by the vendor and
its runtime permissions are tied to this implementation which varies a
lot based on how the bootloader and the partitions it uses are
structured.

This patch moves these permissions to an attribute so the attribute can
be expanded on each device without the need to repeat that on each one
of our daemons using the boot_control HAL.

Bug: 27107517

(cherry picked from commit 0f8d9261)

Change-Id: Icb2653cb89812c0de81381ef48280e4ad1e9535c

Bug: 28348382
Change-Id: Iaab1430750dfbb997900d3d70993c9fff2a8745d

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

* changes:
  allow system server to set log.tag.WifiHAL
  limit shell's access to log.* properties

Define SIOCKILLADDR.

Define wireless extension private types between SIOCIWFIRSTPRIV-
SIOCIWLASTPRIV SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST and
SIOCDEVPRIVATE-SIOCDEVPRIVLAST

Change-Id: I0237dec9e3ffb030ce6573dfa9b81835b7f4f95e

Specifically, backup of wallpaper imagery needs to use hard links to
achieve "real file" access to the large imagery files without rewriting
the contents all the time just to stage for backup.  They can't be
symlinks because the underlying backup mechanisms refuse to act on
symbolic links for other security reasons.

Bug 25727875

Change-Id: Ic48fba3f94c92a4b16ced27a23646296acf8f3a5

On eng and userdebug builds (only), allow system server
to change the value of log.tag.WifiHAL. WifiStateMachine
will set this property to 'D' by default. If/when a user
enables "Developer options -> Enable Wi-Fi Verbose Logging",
WifiStateMachine change log.tag.WifiHAL to 'V'.

BUG=27857554
TEST=manual (see below)

Test detail
1. on user build:
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   <blank line>
   $ adb bugreport | grep log.tag.WifiHAL
   <11>[  141.918517] init: avc:  denied  { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0
   <11>[  141.918566] init: sys_prop: permission denied uid:2000  name:log.tag.WifiHAL
2. on userdebug build:
   $ adb shell getprop log.tag.WifiHAL
   $ <blank line>
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   V
3. on userdebug build with modified WifiStateMachine:
   $ adb shell getprop log.tag.WifiHAL
   D

Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db

Restrict the ability of the shell to set the log.*
properties. Namely: only allow the shell to set
such properities on eng and userdebug builds.

The shell (and other domains) can continue to
read log.* properties on all builds.

While there: harmonize permissions for log.* and
persist.log.tag. Doing so introduces two changes:
- log.* is now writable from from |system_app|. This
  mirrors the behavior of persist.log.tag, which is
  writable to support "Developer options" ->
  "Logger buffer sizes" -> "Off".
  (Since this option is visible on user builds, the
  permission is enabled for all builds.)
- persist.log.tag can now be set from |shell| on
  userdebug_or_eng().

BUG=28221972
TEST=manual (see below)

Testing details
- user build (log.tag)
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag
  <blank line>
  $ adb bugreport | grep log.tag.foo
  [  146.525836] init: avc:  denied  { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0
  [  146.525878] init: sys_prop: permission denied uid:2000  name:log.tag.foo
- userdebug build (log.tag)
  $ adb shell getprop log.tag.foo
  <blank line>
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag.foo
  V
- user build (persist.log.tag)
  $ adb shell getprop | grep log.tag
  <no match>
  - Developer options -> Logger buffer sizes -> Off
  $ adb shell getprop | grep log.tag
  [persist.log.tag]: [Settings]
  [persist.log.tag.snet_event_log]: [I]

Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75

Bug: 28251026
Change-Id: I73dce178b873d45e703896f12c10325af2ade81d

Doesn't appear to be needed anymore.

Change-Id: I7a1fcf4c17fa69c313daebb87c9b0bf654169ee0

Bug: 27549740
Change-Id: I3f646984fbd9cbcb58636d158a9ac0afc5a930ce

(cherry picked from commit 6ba383c5)

Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.

Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.

Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab

(cherry picked from commit 1df23cbf)

This does not appear needed anymore.

Bug: 27549740
Change-Id: I3128ab610c742b18008f4cfc2a7116b210f770e7

Add a neverallow rule (compile time assertion + CTS test) that
isolated_apps and untrusted_apps can't do anything else but append
to /data/anr/traces.txt. In particular, assert that they can't
read from the file, or overwrite other data which may already be
in the file.

Bug: 18340553
Bug: 27853304

(cherry picked from commit 369cf8cd)

Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d

Bug: 28179196

Change-Id: I580f0ae2b3d86f9f124195271f6dbb6364e4fade

Bug: 28169802
Change-Id: Ibc063470a42601ea232b1fa535663641a761eea7

Bug: 28049120
Change-Id: Id288092402f36daafc3347db9b62d341a1de2eb3

Bug: 28165026
Change-Id: I3deecd692b348dbb28bf1d36a88696e4bc1db92d

Move from privileged macro to unprivileged.

Bug: 28164785
Change-Id: Ide39dc0009871c209249a41e574e84009ac47380

1. Allow the system server to create the dns_listener service.
2. Allow netd to use said service.

Change-Id: Ic6394d7b2bdebf1c4d6cf70a79754a4996e943e2