This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

When moving SELinux rules from file_contexts to genfs_contexts, we
added some genfs rules to label specific files.  It turns out that one
of those files was the prefix of some other files, and since genfs
does prefix-labeling, those other files had their labels changed.

To fix this, we are changing the whole tracefs /instances/wifi from
debugfs_tracing_instances to debugfs_wifi_tracing (a few of the files
already had this label).  This simplifies the rules.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that the files
have the correct context and that wifi, camera, and traceur work.

Change-Id: Id62db079f439ae8c531b44d1184eea26d5b760c3

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

The code used to look like this, but in commit
4cae28d4 we replaced the generic
regexes to improve performance.  Now that we've switched to genfs,
this no longer affects performance, so let's simplify the labeling.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.

Change-Id: I1a859d17075fa25543ee090cc7a7478391bc45c1

This should slightly improve performance, as file_contexts is slower
than genfs_contexts.

Now that the kernel patch enabling genfs labeling of tracefs has
landed, we can re-enable this.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that all of
the files have the correct context and that wifi, camera, and traceur
work.

Change-Id: Ifc1c6ac634b94e060ed1f311049bd37f6fcc8313

move them to device-specific files.

Bug: 62908056
Change-Id: I299819785d5a64e6ecdde1cd7da472477fe1e295
Merged-In: If92352ea7a70780e9d81ab10963d63e16b793792

Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: I379567772c73e52f532a24acf640c21f2bab5c5b
Merged-In: I379567772c73e52f532a24acf640c21f2bab5c5b

Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
(cherry picked from commit 4dc88795)

Bug: b/36863239
Test: manual
Change-Id: I7e929926efbb1570ea9723ef3810a511c71dc11a
(cherry picked from commit 38f0928f)

A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e6270)

avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21

rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

(orginally commit: 82672089)

Bug: 36458146
Bug: 38241921
Test: Builds and boots.
Change-Id: I7d6e583f5e98b671986a2071abf157c86e288a10

This reinstates the selinux changes for the timezone service that
were reverted on oc-dr1-dev and undesirably merged down to master.

This reverts commit 96c619c8.

Test: make
Bug: 31008728
Change-Id: Ief2129c409de09b2782881a6556d918af59badd9

This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

(Originally submitted in commit: 8c60f74d)

Bug: 38242876
Test: Builds and boots.

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502

Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186f)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9

A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f

Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.

Test:  Policy builds

Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs
scontext=u:r:system_server:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 35197529
Test: Device boots without this denial
Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1

Bug: b/36863239
Test: instrumentalization
Change-Id: I782693dcda13bd38b45626a65c8eeae552368030

NOTE: This change is marked dnma because we don't want it on
oc-dr1-dev-plus-aosp or any other downstream branch. Moreover,
oc-dr1-dev-plus-aosp is the only outgoing merger from oc-dr1-dev for
this project.

This reverts commit 11bfcc1e.

Bug: 62908344
Test: make
Change-Id: Ide61829cf99f15777c46f657a0e140d594f88243

A previous commit reverted us back to using file_contexts
instead of genfs_contexts but did not remove the new
genfs_contexts rules, which caused this problem.

Bug: 62901680
Test: Verified that the errors do not apepar and that wifi
and traceur work.

Change-Id: Ic0078dc3a2a9d3d35a10599239fdf9fa478f1e2b

Bug: b/36863239
Test: manual
Change-Id: I7e929926efbb1570ea9723ef3810a511c71dc11a

Change-Id: I951162a6a118757d7a466f2c19a23d0ad2e406e3
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>

This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>

This reverts commit 3e307a4d.

Test: Builds - neverallow change only.
Bug: 62806062
Change-Id: Id3aa1b425cf48fc8586890c9850a74594584922d

Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832

An earlier commit moved tracefs file labels from file_contexts to
tracefs.  But this requires a kernel patch that is not present on all
devices, so let's revert it until that is merged.

Bug: 62485981
Test: Built, flashed, and booted two devices.  Verified that the files
have the correct context.  Verified that traceur works.

Change-Id: I8ee3ea9864f73a92943cdbc550131d4a71b842ba

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
(cherry picked from commit c59eb4d8)

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e

CTS checks to make sure that the _contexts files on a device have
a superset of the AOSP entries.  This was removed due to concurrent
master and DR development.  Restore the entry to allow CTS to pass.

Bug: 38241921
Bug: 62348859
Test: Policy builds and is identical to oc-dev for prop ctxts.
Change-Id: I87ccbee7aadee57b8e46ede73280810362b618c0

Clean up ~50 denials such as:
avc: denied { getattr } for comm="highpool[2]" path="/system/bin/bufferhubd" dev="dm-0" ino=1029 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:bufferhubd_exec:s0 tclass=file
avc: denied { getattr } for comm="highpool[3]" path="/system/bin/cppreopts.sh" dev="dm-0" ino=2166 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cppreopts_exec:s0 tclass=file
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/system/bin/fsck.f2fs" dev="dm-0" ino=1055 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:fsck_exec:s0 tclass=file

Bug: 62602225
Bug: 62485981
Test: build policy
Change-Id: I5fbc84fb6c97c325344ac95ffb09fb0cfcb90b95

One of my previous commits removed this, so I am now restoring it.

This commit also contains a bit of cleanup from previous commits by
removing some unneeded types.

It also fixes traceur by porting ag/2409144 to master.

Bug: 62413700, 62547086
Test: Built, flashed, and booted Marlin.  Verified that the files have
the correct context.  Verified that atrace and traceur work.

Change-Id: I76fa0e9060aff554687d57ab3976c8704a4068f0

Now that we're expected to use this when taking traces, we need to add
this permission so that Traceur can also access this file.

Test: Used Traceur and saw the traces appear in the bugreports
directory, as expected.
Bug: 62493544

Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82
Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53
(this merged-in is not the same change; it's a conflicting change in
master)

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: I47b4e79260bcd2967d85d8151c83e624d432f409

This reverts commit 527f64e6.

Change-Id: Ibc48af53431a8f7c7211999dcb571f492fb5ddb4

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: Ia57dbbc3987d8858c932103c4e546cbb88893207