Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 44866954)

Addresses the following denial:
     avc: denied { setsched } for pid=1405 comm="Binder:1094_3" scontext=u:r:system_server:s0 tcontext=u:r:bootanim:s0 tclass=process permissive=0

Maybe fix bug 30118894.

Bug: 30118894
Change-Id: I29be26c68094c253778edc8e4fef2ef1a238ee2e

avc: denied { rmdir } for name="apps" dev="sda35" ino=38 scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0
avc: denied { rmdir } for name="demo" dev="sda35" ino=41 scontext=u:r:system_server:s0 tcontext=u:object_r:preloads_data_file:s0 tclass=dir permissive=0

Bug: 28855287
Change-Id: Ia470f94d1d960cc4ebe68cb364b8425418acdbd4

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849

The system_server needs to rename these files when an app is upgraded.

bug: 28998083
Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a

A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

The system_server needs to clear these markers along with other app
data that it's responsible for clearing.

bug: 28510916
Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649

Allow to dump traces of the Bluetooth process during ANR
and system-server watchdog dumps.

Bug: 28658141
Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82

Split single lines in preparation for new additions.

Bug: 28658141
Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf

Add pinner service to system_service services.
Add CAP_IPC_LOCK permissions to system_server in order to allow
system_server to pin more memory than the lockedmem ulimit.

bug 28251566

Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984

Fast system -> lock wallpaper migration wants rename, not copy.

Bug 27599080

Change-Id: I4b07dff210fe952afb4675eecba3c5f7bf262e83

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

Specifically, backup of wallpaper imagery needs to use hard links to
achieve "real file" access to the large imagery files without rewriting
the contents all the time just to stage for backup.  They can't be
symlinks because the underlying backup mechanisms refuse to act on
symbolic links for other security reasons.

Bug 25727875

Change-Id: Ic48fba3f94c92a4b16ced27a23646296acf8f3a5

On eng and userdebug builds (only), allow system server
to change the value of log.tag.WifiHAL. WifiStateMachine
will set this property to 'D' by default. If/when a user
enables "Developer options -> Enable Wi-Fi Verbose Logging",
WifiStateMachine change log.tag.WifiHAL to 'V'.

BUG=27857554
TEST=manual (see below)

Test detail
1. on user build:
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   <blank line>
   $ adb bugreport | grep log.tag.WifiHAL
   <11>[  141.918517] init: avc:  denied  { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0
   <11>[  141.918566] init: sys_prop: permission denied uid:2000  name:log.tag.WifiHAL
2. on userdebug build:
   $ adb shell getprop log.tag.WifiHAL
   $ <blank line>
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   V
3. on userdebug build with modified WifiStateMachine:
   $ adb shell getprop log.tag.WifiHAL
   D

Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db

Bug: 28179196

Change-Id: I580f0ae2b3d86f9f124195271f6dbb6364e4fade

We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs.  To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.

avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee

With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b

sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.

Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1

Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d

Change-Id: I0c0bce9cd50a25897f5c4521ee9b4fada6648a59

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

(cherry-picked from commit: 9ed71eff)

Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9

Remove permissions which are already covered by other permissions.

Found by running:

  sepolicy-analyze path/to/sepolicy dups

No functional change.

Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 01d95c23)

Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114

system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.

Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Bug: 26902605
Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7
(cherry picked from commit 9c168711)

This will allow us to provide a better interface between Java
services (e.g., ConnectivityService) and netd than the current
FrameworkListener / NativeDaemonConnector interface which uses
text strings over a Unix socket.

Bug: 27239233
Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

Also narrowly specify the domain for the local transport's bookkeeping.

Bug 26834865

Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

Commit 2fdeab37 added ability to debug
over adbd for zygote-spawned apps, required by removal of domain_deprecated
from untrusted_app.  This functionality is a core debugabble component
of the android runtime, so it is needed by system_server as well.

Bug: 26458796
Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44