This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

This CL does NOT affect systrace. In that case (i.e. when
atrace is executed from adb/shell) atrace still runs in
the shell domain and none of those changes apply.

Change-Id: I11b096d5c5c5593f18bce87f06c1a7b1ffa7910e
Bug: b/73340039

To better record the network traffic stats for each network interface.
We use xt_bpf netfilter module to do the iface stats accounting instead
of the cgroup bpf filter we currently use for per uid stats accounting.
The xt_bpf module will take pinned eBPF program as iptables rule and run
the program when packet pass through the netfilter hook. To setup the
iptables rules. netd need to be able to access bpf filesystem and run the
bpf program at boot time. The program used will still be created and
pinned by the bpfloader process.

Test: With selinux enforced, run "iptables -L -t raw" should show the
xt_bpf related rule present in bw_raw_PREROUTING chain.
Bug: 72111305

Change-Id: I11efe158d6bd5499df6adf15e8123a76cd67de04

Bug: 74182216
Test: build bullhead, sailfish sepolicy
Change-Id: I6d0635a49c025870c9ecb46147e6c9a1c407fe16

This reverts commit 09b1d962.

Reason for revert: bullhead broken

Change-Id: Ib4562f944cdc2618cc3ed3beb4f612f0ef8b3223

Location of mapping files has changed from private/mapping/V.v.cil to
private/compat/V.v/V.v.cil
Change the build rule for current_mapping.cil to reflect that.

Test: Build current mapping file with  BOARD_SEPOLICY_VERS := 27.0 and
make sure that $OUT/obj/ETC/27.0.cil_intermediates/27.0.cil is not empty
Change-Id: I996a717e1c659265cb067da5d621d71ff3b3b63b

Test: manual
Bug: 75318418
Change-Id: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7

* changes:
  silence innocuous denials to /proc and /sys
  proc_type attribute for files under /proc.

So that perfprofd can send larger packets to dropbox.

Follow-up of commit 3fa95acb.

Bug: 73175642
Test: m
Test: manual
Change-Id: I88d1f83962243589909ff1ce3d02195e7c494256

* changes:
  Add /odm/etc/selinux/odm_mac_permissions.xml
  Add /odm/etc/selinux/odm_hwservice_contexts
  Add /odm/etc/selinux/odm_property_contexts
  Add /odm/etc/selinux/odm_seapp_contexts
  Add /odm/etc/selinux/odm_file_contexts
  Add /odm/etc/selinux/odm_sepolicy.cil

This reverts commit 88cd813f.

Bug: 75287236
Test: boot a device
Change-Id: Id1bc324e7bd0722065d8a410af31fd6b7aaa9d1c

This should fix audio on non-Treble devices.

Bug: 75949883
Test: Built policy.
Change-Id: I90a4648aaf975d59be36afd5f62c88a015af10f7

Test: n/a
Change-Id: Iba86b7d77582e85de7469bedaf31465205e42433

Bug: 74182216
Test: build policy
Change-Id: Idf90c1a96943266d52508ce72b8554d8b5c594c9

With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c

When extraction exif info, certain file formats may requires
parsing the container. Allow mediaprovider to use extractor
to do the parsing.

bug: 73978990
Test: manually test the scenario in b/73978990 and verify
      the Exif is extracted correctly.

Change-Id: I1cd46d793ebc9c38b816a3b63f361967e551d046

To enable/disable the traced and traced_probes deamons remotely we would
like system server to be able to set persist.traced.enable.
See also ag/3736001.

Denial:
selinux: avc: denied { set } for
property=persist.traced.enable
pid=1606 uid=1000 gid=1000
scontext=u:r:system_server:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service
permissive=0\x0a

Run:
$ adb shell 'ps -A | grep traced'
Should see traced.
$ adb shell 'settings put global sys_traced 0'
$ adb shell 'ps -A | grep traced'
Should no longer see traced.

Test: See above.
Change-Id: I245b7df3853cabeb0e75db41fb4facaa178ab8f1

Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.

  https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/

This change allows dexopt operations to 'getattr' those symlinks during
OTA.

Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe

Bug: 74586749
Test: build policy
Change-Id: I72a3b7c38eb9030ffac0d2dde23a9ff7c26fd70a

Bug: 64240127
Test: normal boot a device
Change-Id: I276ba6bc88eabb0d5562e4e96d3860eedb76aed5

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I22d29e8476380d19aca1be359e0228ab6bbc3b0f

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: Ibd71219f60644e57370c0293decf11d82f1cb35c

Bug: 64240127
Test: normal boot a device
Change-Id: I3626357237cc18a99511f1ebd9dd3ff5a7655963

Bug: 64240127
Test: normal boot and recovery boot a device
Change-Id: I087292fb23d05fc17272778d668ac78a721b2593

This change adds the support of odm sepolicy customization, which can
be configured through the newly added build varaible:
    - BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy

Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS
is set. On a DUT, precompiled sepolicy on /odm will override the one in
/vendor. This is intentional because /odm is the hardware customization
for /vendor and both should be updated together if desired.

Bug: 64240127
Test: boot a device with /odm partition
Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09

Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c