am: 8f0abfec

Change-Id: Id2a898b91932fa74389586bb534cb1dba3bfe26c

am: 1c05f800

Change-Id: Icb9150c5828272df8ccfce8a4145df2f3c987c45

am: 63211f8d

Change-Id: If8aa9152a643522fc896b7a412d3fafb19043649

am: e43f5c97

Change-Id: I40ee71a3473e23a29b370cdc8be7cabd8e8245fc

am: e2f8626e

Change-Id: If401e4107787e6620ed31115c45b7d594812dbe5

am: 871e44c4

Change-Id: I1c261dc247b93306c6d1a70dd0014532c84843c5

am: 23bf2d44

Change-Id: Ib9d7b139d7792eedf3c8963cdc12fbe9f194f0f4

am: 3d49330b

Change-Id: I1ceaf1d95f07b8c4635a6055384cf6dcff932d51

am: 6456542f

Change-Id: I353c8d695a5c995f72fe865f27682a05011f8f55

ASAN builds may require additional permissions to launch processes
with ASAN wrappers. In this case, system_server needs permission to
execute /system/bin/sh.

Create with_asan() macro which can be used exclusively on debug
builds. Note this means that ASAN builds with these additional
permission will not pass the security portion of CTS - like any
other debug build.

Addresses:
avc: denied { execute } for name="sh" dev="dm-0" ino=571
scontext=u:r:system_server:s0 tcontext=u:object_r:shell_exec:s0
tclass=file

Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are granted.
Test: lunch aosp_marlin-userdebug;
      cd system/sepolicy; mm;
      Verify permissions granted using with_asan() are not granted.
Test: lunch aosp_marlin-user;
      cd system/sepolicy; mm SANITIZE_TARGET=address;
      Verify permissions granted using with_asan() are not granted.
Bug: 36138508
Change-Id: I6e39ada4bacd71687a593023f16b45bc16cd7ef8

/proc/interrupts may be dumped by dumpstate HAL if required.

Bug: 36486169
Test: 'adb shell bugreport' on sailfish

Change-Id: Ifc41a516aeea846bc56b86b064bda555b43c58ed
Signed-off-by: Sandeep Patil <sspatil@google.com>

Merge "wpa_supplicant: Remove unnecessary permissions from system_server" am: e1a350a0 am: 79005214
am: 180a6882

Change-Id: Ic5e8018fd106a645d24f52b8502fff3e4c603f7e

am: 79005214

Change-Id: Icf0aefc596f8c3df64be9bc68b4c1f4243059747

am: e1a350a0

Change-Id: Ib2f28bdd5aa8dc1a6641f3f114965ac3ddec17e2

vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387

am: acc1701f

Change-Id: I7b732b74d4495c9b6aede9530e7944b5b3e07584

am: 6fcbd0f5

Change-Id: Ibc6947686cc6edf439e25cda9aaf5b1444da6c8c

am: cc45b87c

Change-Id: I17fe3e79b7f673a0703be5be7bb93838cd2f7ed6

am: 52cc23c9

Change-Id: I02062a80ab0a489c0e00f7890ecdcd0731ced405

am: a6445395

Change-Id: I7c47721f7fd0c30ce20c4948e412c1bb0d5b34f1

am: bbe7213f

Change-Id: I0c82b4e73e54cf7ac1f434c97558bd3cef3c36e7

Now that the android wifi framework has fully switched over to HIDL,
remove the sepolicy permissions for accessing wpa_supplicant using
socket control interface.

While there, also removed the redundant |hwbinder_use|.

Bug: 35707797
Test: Device boots up and able to connect to wifi networks.
Test: Wifi integration tests passed.
Change-Id: I55e24b852558d1a905b189116879179d62bdc76c

Prevent app domains (processes spawned by zygote) from acquiring
locks on files in /system. In particular, /system/etc/xtables.lock
must never be lockable by applications, as it will block future
iptables commands from running.

Test: device boots and no obvious problems.
Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b

Test: no denials seen
Bug: 36278706
Change-Id: I78d6fc84073a6ca006fb2b1ef95c73935cc9a1e0

Test: no neverallows triggered
Bug: 36494354
Change-Id: I52e21a9be5400027d4e96a8befdd4faaffb06a93

am: 5939dc8d

Change-Id: I9e97e5dede3b58db66dc3391e48f247b890e82d7

am: 52c5bde4

Change-Id: Ie51eefe6c99adc6d266c96c15dae6df81363109c

am: dfded77d

Change-Id: I3a6e966ad54f4ea505dacb5c60269cc733e9212c

am: fbd22279

Change-Id: I3c1c3d20bd28b656087643891b3a7d37aed6e01c

am: 9d5f97b3

Change-Id: Ic75010f7e11129e879a7eea1605969f2511f6fc9

am: 6de0d9a7

Change-Id: I7f971d6f1a9fe4247490070f2f00bede2b828494