am: 1f447485

Change-Id: Ia504ee90ef703fd46f6021e2b893f8f4104a4b65

am: 5670dd1f

Change-Id: I13a91e18ba39271693fa7d2cdae641882e533806

Test: n/a
Change-Id: I7041cc0f17ece86c01db1d9c17f68b58473cf27c

am: 2732f149

Change-Id: Icaf1a00c58252fa8aee8aefd4b25df5dafb94107

CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

am: 7a567e3a

Change-Id: I729a92e34531f6726372b5639c94dcbd49edbe25

am: a099830e

Change-Id: Ia34c9097e45d7d68dfffc2a90cf1306ff2ce0e9c

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5

Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24

am: d388f370

Change-Id: Id3a7f0adc0ee9c20a219174c90a184d8d50acfc8

am: 3721b051

Change-Id: Ice083b2e11c0fb3daefbe64eba4adb9632ba0774

This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca

am: 74e408c4

Change-Id: Ie54bee4b5bb68460394e552305a16c61e62405a1

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

am: 8c87c2ad

Change-Id: I0e0aa1f84fce0bcf4fe6912f453ff6c9221e6c2d

am: 9eb4de16

Change-Id: I6343d29e2f4d4298c40ef782d7aa85825eccf7e8

am: 3dff9ab4

Change-Id: I6080271008eff31de9bf407250cf64c4001f8ff4

am: 8c8ed1f0

Change-Id: I51f11f3d4296ed4a349221c567b953499576c31d

* changes:
  Use PLATFORM_SEPOLICY_COMPAT_VERSIONS
  Move PLATFORM_SEPOLICY_VERSION to make/core/config.mk

am: 5d6077bc

Change-Id: Ibb74ddbd3ca4352ad6b47cf0c783367733e6a1a8

Test: m framework_compatibility_matrix.xml -j
Test: device boots

Bug: 67920434
Bug: 69390067

Change-Id: I3461873c22f704b9bbaa3a4e6f7e1df34d6b61a3

This is a list of sepolicy versions that the framework supports.

Test: builds and boots

Bug: 67920434
Change-Id: I0f408fa3967214b47a64101760dbbb2542023dcf

Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a

And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791

This should fix presubmit tests.

Bug: 73068008
Test: Built policy.
Change-Id: Ib27fbad2803eb86ff12526f0ae42eb35917ce59b

am: 4e9b1c6b

Change-Id: I062afe1974bacf4795271ca93029ceb871eff6b0

am: 17aa011d

Change-Id: Id8e2a441c6fa2e80ac59136246ec6b6ac3885aa8

am: 2904db67

Change-Id: I1905f28cdcfee2e96d69ffde8adfe77865a882d2

* changes:
  Add 27.0 mapping file to system image.
  Add missing types to 27.0[.ignore].cil.
  Temporary fix to avoid expandattribute value conflicts.
  Remove reboot_data_file from 27 mapping file.