This is needed to allow it to log audit events, e.g. cert
validation failure.

Bug: 70886042
Test: manual, attempt connecting to EAP-TLS wifi with bad cert.
Merged-In: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1
Change-Id: Ia1b0f3c6e02697fdb5018082d5c851f116013fb1

Bug: 30561479

Test: Booted on walleye and verified that read denials of the property
Test: do not generate warnings.
Change-Id: I61a4a7d3a360a6d27d8986eb8f3f9662272233b1
(cherry picked from commit 2f35f5ca)

Test: n/a
Change-Id: I7041cc0f17ece86c01db1d9c17f68b58473cf27c

CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5

Bug: 72809699
Test: build
Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24

This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

* changes:
  Use PLATFORM_SEPOLICY_COMPAT_VERSIONS
  Move PLATFORM_SEPOLICY_VERSION to make/core/config.mk

This is a list of sepolicy versions that the framework supports.

Test: builds and boots

Bug: 67920434
Change-Id: I0f408fa3967214b47a64101760dbbb2542023dcf

Test: m framework_compatibility_matrix.xml -j
Test: device boots

Bug: 67920434
Bug: 69390067

Change-Id: I3461873c22f704b9bbaa3a4e6f7e1df34d6b61a3

Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a

And grant explicit exemption from system_executes_vendor_violators
neverallow rules.

This does not change the policy, but is needed to test the violator
attribute for emptiness.

Bug: 72662597
Test: build sepolicy
Change-Id: Iba79bb42e1381b221fe0dc53470f62f8267a4791

This should fix presubmit tests.

Bug: 73068008
Test: Built policy.
Change-Id: Ib27fbad2803eb86ff12526f0ae42eb35917ce59b

* changes:
  Add 27.0 mapping file to system image.
  Add missing types to 27.0[.ignore].cil.
  Temporary fix to avoid expandattribute value conflicts.
  Remove reboot_data_file from 27 mapping file.

A change in the "open" syscall between kernel 4.4 and 4.9 means that
the "create" action is now checked and makes system_server trigger
an SELinux denial when PackageSettings is removing a user ID from
Settings.java/writeKernelRemoveUserLPr() in PackageManager.

Bug: 70150770
Test: Manual
- Add a new user on the device, no need to perform setup.
- Wait 30s
- Remove the added user
- While running, check the result of:
    adb logcat -v time -b events | grep audit | grep system_server
Change-Id: I1f490ea95d5bcb2adc76cba041bffbea131b447a

This reverts commit fad0b04d.

Reason for revert: This change crashed facebook App on dogfood build.

Bug: 72977484
Change-Id: I4f35b00c11afbd4914f572d3cc0378d740403ed2

Bug: 69390067
Test: 27.0.cil is installed to /system/etc/selinux/mapping/27.0.cil

Change-Id: If5b37ca7920a66b4fceaa031b6e8e9bafd18ac47

Bug: 69390067
Test: build sepolicy
Test: 27.0.ignore.cil is a subset 26.0.ignore.cil
Change-Id: I6b9a1cfa8b38df4e97e5d63e2938ee9d5a4c83ec

Bug: 69390067
Bug: 72757373
Test: build sepolicy
Change-Id: I44aeb547ff7ab7042eddfa780df8cbb7dcec71b4

reboot_data_file was already removed from 26.cil by aosp/505397

Bug: 69390067
Test: build sepolicy
Change-Id: Ieff68cbdaf5b0ddc02d0d3e463765ba3716994ba

Since we now call patchoat --verify in zygote art loading code, we have
the unintended effect of webview zygote calling patchoat --verify. This
is undesireable since webview zygote doesn't need to verify the .art
files after the app_process zygote has already done so. The exec of
patchoat fails for webview zygote, and this change hides that. This
change should be reverted when b/72957399 is resolved.

Bug: 66697305
Test: Ensure no new selinux denials were introduced.
Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8

* changes:
  Use a whitelisting strategy for tracefs.
  Enable Traceur on user builds.

llkd needs the ability to forcibly crash the kernel if
cause is unlikely to result in an orderly shutdown. It
also needs to scan /proc/<pid> for additional process
information.

Test: lmkd_unit_test --gtest_filter=llkd.*
Bug: 33808187
Change-Id: I7f158a13814e79d5ec71fe90dbc7461abb521945

The feature of compatible property has its own neverallow rules and it
is enforced on devices launchig with Android P.

This CL changes hal_nfc to hal_nfc_server in neverallow rules because
sepolicy-analyze doesn't recognize it. Additionally one more neverallow
rule is added to restrict reading nfc_prop.

Bug: 72013705
Bug: 72678352
Test: 'run cts -m CtsSecurityHostTestCases' on walleye with
ro.product.first_api_level=28

Change-Id: I753cc81f7ca0e4ad6a2434b2a047052678f57671