am: c975bd90

Change-Id: I576189108f7863076070734b958385d1cd545c5b

Used to display kernel version in settings app.

avc: denied { read } for name="version" dev="proc"
scontext=u:r:system_app:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 66985744
Test: kernel version now displayed in settings app.
Change-Id: I53f92f63362b900347fd393a40d70ccf5d220d30

(This reverts internal commit: 82ca9c2e)
Test: None.

Change-Id: I97ffdd48b64ef5c35267387079204512a093a356

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

(cherry-pick of 5637587d
which was in AOSP and internal master but not stage-aosp-master)

Bug: 62102757
Test: Builds and boots.
Change-Id: I0394907e808c737422e644aec452baa3e777cf6f

Also add missing commit: ca595e11

Test: I solemnly swear I tested this conflict resolution.
Change-Id: I2a210c3b58565a40117bf3d061e9bf904ed687c2

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

am: 6922dfe3

Change-Id: I366e2005f554ad2b98aeff4a7c83521ad74d12bd

Fixes: 65263013
Test: build
Merged-In: I0ec412481c5990927fcbee7c4303bee2da876210
Change-Id: I0a5b9a80e988fcd16a29807ed83b2c65bba9000f

am: 4481b885

Change-Id: I3763d7f5ce22ff43e2adb8f7125e789f2c061e9e

Run-as is running a command under an app's uid and in its data
directory. That data directory may be accessed through a symlink
from /data/user. So give runas rights to read such a symlink.

Bug: 66292688
Test: manual
Test: CTS JVMTI tests
Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6

am: 3b24ce50

Change-Id: Ibfe45f0105811e120f4e83a52f3ba8e4d6b2fb10

am: 46f41134

Change-Id: Idfb71caeb839cce156bfa181fa53339e2e791e4b

The following commits were cherry-picked from internal master to AOSP,
but to avoid merge-conflicts we'll do a large diff instead of individual
cherry-picks:
521742e9
9aefc916
3686efca
de51e7de
fff3fe2f

Bug: 37916906
Test: angler builds and boots.
Merged-In: Ie010cc12ae866dbb97c387471f433158d3b699f3
Change-Id: I5126ebe88b9c76a74690ecf95851d389cfc22d1f

am: 76d77fd5

Change-Id: I87ce89ce4642116264624288bf367a9ec3087034

am: b842836f

Change-Id: If6c0db7fb4838140347a68c39dec9f10b4c298d7

Bug: 65643247
Test: device boots without denials from bootanim to sysfs and cgroup.
Change-Id: Icf8c45906cb83e1b0a60737d67ae584b9d1b34aa

Bug: 65643247
Test: device boots without denials from rild to proc.
Change-Id: I142a228347ef07266cb612e99c90fb5ec187988a

am: 9ee232a8

Change-Id: Ic6943aeb67277cbf50d9353bb089aadfd89197b8

am: 7bb31061

Change-Id: I235d0cfa039241c2df830392c1736c60718d5d53

am: b1affc90

Change-Id: Ic2e99549c985f896f73b9fc6f59508e7d2c4c34b

Bug: 65643247
Test: device boots without denials from bootstat to proc.
Change-Id: Ie31a0488239dbb1614fbcce07540d23afa805b0e

Bug: 65643247
Test: device boots without denials from bootanim to proc.
Change-Id: I0454a2bd4489d7816d82a299f5bc199d6a299ec0

am: c8ef107a  -s ours

Change-Id: I781386a8ae37105a5f8c494b0471f6625a84cf0b

Test: after cherry-pick - it builds
Merged-In: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
Change-Id: I7da8160a95e09946d283bd849628bd5392410353

Bug: 62945293
Test: instrumentation, VTS
Change-Id: I7e896b64bf0ee907af21d08f6b78561fadc7f0e3

Change-Id: I88e2887b0691ce3c5018578556abf7c420fe5a1b

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)

am: cfdbaf33

Change-Id: I2206c2e99dbfc3c1efd5beee3b73c744187f7c32

am: 397b07b3

Change-Id: I59221e03d3cdbbaa4fb416605ba66e9243afb5b9

Add series of neverallow rules to restrict components from reading or
writing bootloader_boot_reason_prop, system_boot_reason_prop and
last_boot_reason_prop to trusted set of domains.

The policy is that bootloader_boot_reason_prop (ro.boot.bootreason)
has a compliance issue due to the sheer momentum of near unparseable
content as filed by the wide variety (8000 different devices at last
count) bootloaders and is only to be accessible to a series of
responsible system components.  It can be inaccurate as it provides
no means to evaluate a shutdown, likely reporting "cold" (from
initial power up) or the more generic "reboot".

The last_boot_reason_prop (persist.sys.boot.reason) contains
inaccurate information as it is only valid after a controlled reboot
or shutdown.  The value can linger around after less controlled
scenarios.  Since the information could be false, we do not want to
support it as an open API, so we again block access to only
responsible components.

The system_boot_reason_prop (sys.boot.reason) is a canonical boot
reason that takes into account parsing bootloader_boot_reason_prop,
boot_loader_boot_reason_prop and other system and HAL generated hints
to determine a parseable and most accurate reason for the last time
the system was rebooted.

For now the policy for system_boot_reason_prop is to audit users of
the API, and on a need to know basis via device additions to the
selinux rules.  If vendors need their components to access the boot
reason, they need to comply first with CTS tests and spirit with
regards to controlled reboot messaging and in turn read the
system_boot_reason_prop for the canonical information.  It will
contain validated content derived from bootloader_boot_reason_prop
in the scenarios that count.

The controlled reboot APIs include:
- android_reboot(ANDROID_RB_<TYPE>, int flag, const char* reason)
- PowerManagerService.lowLevelShutdown(String reason);
- PowerManagerService.lowLevelReboot(String reason);
- ShutdownThread.shutdown(context, String reason, boolean confirm);
- ShutdownThread.reboot(context, String reason, boolean confirm);
- PowerManager.shutdown(boolean confirm, String reason, boolean wait);
- PowerManager.reboot(String reason);

Any others (including the direct linux reboot syscall) create
problems for generating an accurate canonical boot reason.

Test: compile
Bug: 63736262
Bug: 65686279
Change-Id: I2e5e55bbea1c383c06472eb2989237cfeb852030

am: 48284512

Change-Id: I3096c5d0871872de5484f862f9f9878d6a8fce13

am: d1a9a2f4  -s ours

Change-Id: Ifa7aee2d178fe4187f59e4a5b35e2643f0e69459