Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

The following error is occurring on master:

10-23 16:24:24.785 shell  4884  4884 E SELinux : seapp_context_lookup:  No match for app with uid 2000, seinfo platform, name com.google.android.traceur
10-23 16:24:24.785 shell  4884  4884 E SELinux : selinux_android_setcontext:  Error setting context for app with uid 2000, seinfo platform:targetSdkVersion=23:complete: Success
10-23 16:24:24.785 shell  4884  4884 E Zygote  : selinux_android_setcontext(2000, 0, "platform:targetSdkVersion=23:complete", "com.google.android.traceur") failed
10-23 16:24:24.785 shell  4884  4884 F zygote64: jni_internal.cc:593] JNI FatalError called: frameworks/base/core/jni/com_android_internal_os_Zygote.cpp:648: selinux_android_setcontext failed
10-23 16:24:24.818 shell  4884  4884 F zygote64: runtime.cc:535] Runtime aborting...

Bug: 68126425
Bug: 68032516

This reverts commit 714ee5f2.

Change-Id: I7356c4e4facb1e532bfdeb575acf2d83761a0852

Test: Boot device, observe logs
Bug: 63740245
Change-Id: I1068304b12ea90736b7927b7368ba1a213d2fbae

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0
Merged-In: I88219e32520006db20299468b7a8c7ce0bfa58e0
(cherry picked from commit fa6c3d7c)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

No sign of these denials getting cleaned up, so supress them in core
policy.

Test: build
Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c

When we removed /data/dalvik-cache execute permission for system_server
(b/37214733, b/31780877), I forgot to fixup this neverallow rule.
Fix rule.

Test: policy compiles.
Change-Id: I38b821a662e0d8304b8390a69a6d9e923211c31e

Don't allow apps to run with uid=shell or selinux domain=shell unless
the package is com.android.shell.

Add a neverallow assertion (compile time assertion + CTS test) to ensure
no regressions.

Bug: 68032516
Test: policy compiles, device boots, and no obvious problems.
Change-Id: Ic6600fa5608bfbdd41ff53840d904f97d17d6731

This is to simplify access for hal_audio

Test: ls -Z in /proc/asound correctly shows everything with proc_asound
selinux label

Change-Id: I66ed8babf2363bee27a748147eb358d57a4594c4

Now hwservicemanager can send ctl.interface_start messages
to init.

Note that 'set_prop(ctl.*, "foo")' maps to property context
for ctl.foo.

Bug: 64678982
Test: hwservicemanager can start interfaces
Change-Id: I9ab0bacd0c33edb0dcc4186fa0b7cc28fd8d2f30

rw access to sysfs_power file is not enough; in some cases search access
is also needed

Bug: 67895406
Test: system_server can access memory power statistics
Change-Id: I471e8e60626e6eed35e74e25a0f4be470885a459

Bug: 25861755
Test: Boot device, observe logs
Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900
Merged-In: I6c13430d42e9794003eb48e6ca219b874112b900
(cherry picked from commit 47f3ed09)

Bug: b/64399219
Test: Manual
Change-Id: I4f6c7e4e3339ae95e43299bf364edff40d07c796
(cherry picked from commit c8bd93d7)

Allow PowerUI / platform_app to use thermalservice for receiving
notifications of thermal events.

Bug: 66698613
Test: PowerNotificationWarningsTest, PowerUITest,
      manual: marlin and <redacted> with artificially low temperature
      threshold and logcat debugging messages
Change-Id: I5428bd5f99424f83ef72d981afaf769bdcd03629
Merged-In: I5428bd5f99424f83ef72d981afaf769bdcd03629

Dontaudit denials for services that system_app may not use due
to neverallow assertions.

Bug: 67779088
Test: build
Change-Id: I822a7909c86bee5c2fdeec6e13af1a9791883f72

This denial should not be allowed. Add bug information to the denial
to give context.

Bug: 63801215
Test: build
Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8

New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons

Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons

Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.

Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5

Test: build aosp_sailfish
Change-Id: Iaefe1df66885d3e78feb600c3d9845bd9fe671a2

Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
 - update_verifier to read sysfs_dm dir and file at
   /sys/devices/virtual/block/dm-X.
 - vold to write sysfs_dm.

Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
      marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95

isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.

Test: policy compiles.
Change-Id: I2980291dcf4e74bb12c81199d61c5eb8a182036c

Bug: 64687998
Test: Builds.
Change-Id: I7a5b65d34382b8b76e55c523811a0f17dd9c1051

Bullhead and dragon are broken. Revert until I can fix
those builds.

Dragon:

libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26264 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open }; 

Bullhead:

libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_power_management:file { ioctl read lock open }; 
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open }; 
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_thermal:file { ioctl read lock open }; 
libsepol.check_assertions: 3 neverallow failures occurred 


This reverts commit 579366a0.

Change-Id: I1ea4824e226c06628769898299f2e322060d0d06
Test: policy compiles.

Renamed this type:
proc_asound_cards -> proc_asound

Labeled /proc/asound/devices as proc_asound.

We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.

Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.

Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0

isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.

Test: policy compiles.
Change-Id: I47aceefa3f43a7ea9e526f6f0ef377d0b4efbe3a

so they can use MediaExtractor too.

Bug: 67406992
Test: yes
Change-Id: Iaacadc13b1fc032fe31eea1f3ecbbbabb741470a

This functionality is being used, apparently.

Addresses the following auditallow spam:

  type=1400 audit(0.0:1039): avc: granted { write } for
  comm="Chrome_ProcessL"
  path="/storage/emulated/0/Android/data/com.bleacherreport.android.teamstream/cache/.com.google.Chrome.sk5n91"
  dev="sdcardfs" ino=1877565 scontext=u:r:isolated_app:s0:c512,c768
  tcontext=u:object_r:sdcardfs:s0 tclass=file

Test: policy compiles.
Bug: 32896414
Change-Id: I627e20c38115f1d579e78ca12abfa717d32a155a

Bug: 65643247
Test: SurfaceFlinger_test passes (except known failures) without selinux
denials
Change-Id: I6ce185f92e5ad64a172da7d7e12167d8da2ebed0

A parallel Wi-Fi RTT service is being added in parallel. Switch-over
will occur once the new service is ready.

Bug: 65014552
Test: integration tests
Change-Id: Ie4b15592140462af70c7092511aee3f603aaa411

Bug: 65570851
Test: boot sailfish
Change-Id: I008bf5386595c614236de44131afcda7d3fd6d98
Merged-In: I008bf5386595c614236de44131afcda7d3fd6d98
(cherry picked from commit 82ca9c2e)

(This reverts internal commit: 82ca9c2e)
Test: None.

Merged-in: I97ffdd48b64ef5c35267387079204512a093a356
Change-Id: I97ffdd48b64ef5c35267387079204512a093a356

Used to display kernel version in settings app.

avc: denied { read } for name="version" dev="proc"
scontext=u:r:system_app:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 66985744
Test: kernel version now displayed in settings app.
Change-Id: I53f92f63362b900347fd393a40d70ccf5d220d30

(This reverts internal commit: 82ca9c2e)
Test: None.

Change-Id: I97ffdd48b64ef5c35267387079204512a093a356

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

(cherry-pick of 5637587d
which was in AOSP and internal master but not stage-aosp-master)

Bug: 62102757
Test: Builds and boots.
Change-Id: I0394907e808c737422e644aec452baa3e777cf6f

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)