am: d4785c37

Change-Id: I41603590882cb4d70cb1636af5902edad1af0118

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

am: 0f5ad4e5

Change-Id: Idcf4b52877a51c2c330a72ba416076c686e29535

Exclude vendor processes.

Bug: 69309298
Test: cts-tradefed run cts -m CtsCompilationTestCases
    completed in 33s. 5 passed, 0 failed
Test: runtest frameworks-services -c \
    com.android.server.pm.dex.DexoptOptionsTests \
    --install=".*FrameworksServicesTests.apk"
    OK (5 tests)

Change-Id: Ic02caf373e2214b4b931a724ca8d4f4effbc0741

am: 6faa3a1a

Change-Id: Ica1a165a67f4db803e69757009a14145bb17c5b9

am: cd753d11

Change-Id: I01a332c51aa4a5c62e5b2bb4ba13565b48c46b88

am: 97c86514

Change-Id: I170162843b04280105c76d4e5d7a8d3f89583588

Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153

am: 499fd010

Change-Id: Ifdf2102a4305b3aa51607e78a1c6ce529b45d382

am: 25576730

Change-Id: I97842c1a293bc68daa11adffec29514a9afbb868

- Allow system_server to create and write to /data/misc/wmtrace/*
- Allow surfaceflinger to create and write files from /data/misc/wmtrace/*
- Allow dumpstate to read files from /data/misc/wmtrace/*
permissions are restricted to userdebug or eng builds

Bug: 64831661

Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root service call SurfaceFlinger 1025 i32 1 >/dev/null && adb shell su root service call SurfaceFlinger 1025 i32 0 >/dev/null
Test: adb bugreport ~/tmp.zip && adb shell su root dmesg | grep 'avc: '

Change-Id: I0b15166560739d73d7749201f3ad197dbcf5791c

Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f

am: 13c69b89

Change-Id: I81e8cc02afa5b87419a4e70ab46a70ca43b85c43

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

Only getattr and read are necessary for lnk_file. Open violates a new
neverallow for separating system and vendor data.

Bug: 34980020
Test: Enroll fingerprint on Taimen
Change-Id: I9434afbd5b4ecc1ead9f0ba47c7582fb5a6c6bf0

am: 0d7e5047

Change-Id: I29fd343005136d580763eff843fa94e8e3318c06

This reverts commit 248b6dc6.

Reason for revert: The dashboard complains that devices don't boot after this revert.

Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48

am: 5984301a

Change-Id: I7e6c4733471f5954a16f991adddda3657844b47d

am: 248b6dc6

Change-Id: Ie2990b86b85fbe29565ca7957fbce6b6121abec1

Copy init's dontaudit for sysfs:dir write; to calm the below denials:

avc:  denied  { write } for  pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

Bug: 62875318
Test: use pixel + factory reset + vendor_init
Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89

This reverts commit d1cf3a40.

Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.

Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06

After move qtaguid control interface into netd. Netd need to open the
xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is
successfully initialized before taking action. This selinux rule change
allows netd to do so and it is the same privilege normal apps currently
have.

Test: No more selinux denials on netd access qtaguid_device
Bug: 30950746
Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518

am: aca97bcb

Change-Id: I5bb923eecb8fb757d31a8b612f85a49d69cefdab

am: 07195bb6

Change-Id: I76d6dbcba064919a21264f961ba5e331452fce5f

am: 81e03cb4

Change-Id: I8ea9c5c110e0be90bd05a83b3ca94a823e73e847

Bug: 65643247
Test: aosp_walleye-userdebug builds
Test: aosp_sailfish-userdebug builds
Change-Id: Iaebd368b84259783fbdc4778988bdb7ba0df300b

Fixes these denials:
avc:  denied  { read } for  pid=585 comm="charger" name="state"
dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=585 comm="charger"
path="/sys/power/state" dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

Test: above denials not observed in charger mode.
Change-Id: I5660e63315fada7f24d6cfe2e0bd2b383b556670

am: 29fc85ee

Change-Id: I888a076a056c08491d1185478b04ffce64af7ff2

avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf