Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 44866954)

/data/bugreports is moving to /bugreports

Bug: 27262109
Bug: 27204904
Bug: 32799236
Test: new symlink is in /bugreports and is labeled correctly

(cherry picked from commit d314376d)

Change-Id: Ia9aca3ff642b2171e9b0ece7c2b420a0d38006cc

am: adf210d6

Change-Id: I0386db7e81ed5e6a6c032adb1173163f45ad726e

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e

Allow bootanim process to access audioserver service.

Bug: 31651778
Change-Id: I5bec8812877792b1df3b37dddc5ccea3b243f5c4

bug: 30963384

(cherry picked from commit 63203a01)

Change-Id: Ifa4b9a645f8edcf51e3f025316106e5b65a4790d

Bluetooth is sometimes started from init.

Addresses the following compiler error:

  libsepol.report_failure: neverallow on line 489 of
  system/sepolicy/domain.te (or line 9149 of policy.conf) violated by
  allow init bluetooth:process { transition };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy

Change-Id: I2bc1e15217892e1ba2a62c9683af0f3c0aa16b86

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e

avc:  denied  { find } for service=drm.drmManager pid=4320 uid=1027 scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Arrange in alphabetical order.

Bug: 30112127
Change-Id: I6592497a937c6a6d2c7c3d444beba3db333f4852
(cherry picked from commit 24ad5862)

bug: 30087072
bug: 29937024
Change-Id: I8bf3032b8455556ff5332f538f43aeb514d3b290

avc: denied { search } for pid=394 comm="lmkd" name="lowmemorykiller" dev="sysfs" ino=7541 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=dir permissive=0

(Cherry picked from commit 30a3ee4c)

Bug: 29558514
Change-Id: Iaae907a92976af2a9dcb58be5643b8614dcde174

Cherrypicked from AOSP
(commit 51fdddaf).

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb

Addresses:
avc:  denied  { find } for service=nfc pid=3355 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

BUG=29339762
Change-Id: I87479ef4607bd3e18a2fecb53909c4878e227e2b

This reverts commit 70a31245.

Bug: 28610953
Bug: 29395357
Change-Id: I8b531f488444457d329e43e0c298f2ed231378bf

Grant installd the policies to recursively delete
the foreign-dex folder when removing a user. Otherwise
the user cleanup will partially fail and cause a boot loop
when the userId is reused as some later point.

Bug: 29285673
Change-Id: I023f150cffbeb10b6014f48bca9eb0922c2d630a

Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849

Per "man socket":

  SIOCGSTAMP
  Return a struct timeval with the receive timestamp of the last packet
  passed to the user. This is useful for accurate round trip time
  measurements. See setitimer(2) for a description of struct timeval.
  This ioctl should only be used if the socket option SO_TIMESTAMP is
  not set on the socket. Otherwise, it returns the timestamp of the last
  packet that was received while SO_TIMESTAMP was not set, or it fails
  if no such packet has been received, (i.e., ioctl(2) returns -1 with
  errno set to ENOENT).

Addresses the following denial:

avc: denied { ioctl } for comm=6E6574776F726B5F74687265616420
path="socket:[42934]" dev="sockfs" ino=42934 ioctlcmd=8906
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=0

Bug: 29333189
Change-Id: I916a695fa362cf1cf6759629c7f6101e9f657e7d

It no longer needs access to audio and camera

Bug: 22775369
Change-Id: I1de1f0e3504b214d6943733bf60eb83654b71048

Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

This is needed in order to include profile files in bugreports.

Bug: 28610953
Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1

Allow log.tag and persist.log.tag as log_tag_prop

Bug: 28942894
Change-Id: I05766b99b9535a79a39adc55cad004decd52956e

Bug: 28748264
Change-Id: I848c448e43d48d245d998ff22547bc67a640ab96

Also allow shell to set persist.log.tag.*

Bug: 28942894
Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b

The system_server needs to rename these files when an app is upgraded.

bug: 28998083
Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a

(Cherry picked from commit 38ac77e4)

This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

SetupWizard initiates video playback using MediaPlayer API. Media server
should be able to handle preloads file descriptors

Bug: 28855287
Change-Id: I529dd39b25b852787b3d1708a853980cf382f045

Bug: 22775369
Change-Id: Iae362fcc371bab1455dda733f408f005c7eec3f8