am: ee8b67df

Change-Id: Ic2fe390f95f0be43ad39a50366e0300a398aa0ad

Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167

am: 608969b3

Change-Id: I99225c48524600248d3d76a56368dc96da67caa0

am: db5962ce

Change-Id: I4ce4248dd0f780c1d466a7798a159d854d30a09a

This was accidentally omitted from all_untrusted_app

While I'm here, split across mutiple lines and alphabetize.

Test: policy compiles.
Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51

am: 224b4eac

Change-Id: I2b9ef653a1d4b21661fb07a1634b2e8af75c826b

These were missing when the sepolicy was migrated.

Addresses denials:

E SELinux : avc:  denied  { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0

Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file

Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d

am: 2e8b0004

Change-Id: I2e8648728c5e63037686981c154d16c3010ac095

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

am: 327d7cb9

Change-Id: Ie9399516244e38f0c5f57205fe9f0da35aec8ba7

Bluetooth needs the capability to set audio-related threads to be RT
scheduled.  Grant it sys_nice.

system_server needs to set priority for the Bluetooth HAL.  Allow it.

Bug 37518404
Test:  Play Bluetooth audio, confirm RT scheduling with systrace
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f

am: 35fd3212

Change-Id: I2f2fa16dc59bcd3f13ed9525a6f68bc87d26ab3b

Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.

The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.

Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c

am: 5684f61f

Change-Id: Ib0a65258afbe3828cd9d5e9921fc42893c729a5e

Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36

am: 47061e59

Change-Id: I924bfbc908321e321ca464adf8017bd3e212450f

am: a61f7f60

Change-Id: I5a0ff1b9233deb5ab7a6f4eb63498bbbefc169b3

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd

The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

Merged-In: I7b9cfd7f3c3509f3e41f0590ab650bd85faab340
(cherry-picked from commit 1103f963)

Change-Id: I6d69d463af7a0a93391dd4b7edd5b700012ba58c

am: 9d46f9b4

Change-Id: Id3bd7d69bd07fafdf76453e52de01b2b5bb67472

This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131

am: 9f152d98

Change-Id: I1c319ac3558e5ff96072638dc4be97502da61056

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

am: 5ab5cfba

Change-Id: I1fd254e6991d4d7f9afa6e36b26cc879c73fa6da

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
Change-Id: Ib4e89ba48cdc383318e5f3b7b15f542434e43564

am: e453801d

Change-Id: I1568b0c66ebd5932dbc5da353c40dbff02ceab26

am: f3b5bd64

Change-Id: I7515097dc3c410fdf3544d72d9d99be772f62d0c

Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.

Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
      that no audited (granted) avc messages for bluetooth exist in
      in the logs.

Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085

These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.

Addresses denial:

init    : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0

Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0

am: 20fe64e7

Change-Id: Id1d70b14a7035d18b5bb6ef9720fc0b5689bb722