The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases

To upload configs and download output, this line
is needed.

Bug: 72961153
Test: The statsd cts test passes
Change-Id: I0943cc841881dd5d15e24ba444b146087a81bf96

This reverts commit bf0c2a59.

Bug:68126425
Test: No apps affected by not being able to run in shell domain
Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
Merged-In: I8b93eecd023fbb392a98253d721dad75f79b61f4

This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.

Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d

These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e

CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

This should fix presubmit tests.

Bug: 68319037
Test: Built policy.
Change-Id: I0c3bc08c9b114e7a3737cdb3005fb59b2df47d55

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5

This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca

Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.

Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
    No new denials.

Change-Id: I65f904bb28952d4776aab947515947e14befbe34

Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a

This should fix presubmit tests.

Bug: 73068008
Test: Built policy.
Change-Id: Ib27fbad2803eb86ff12526f0ae42eb35917ce59b

A change in the "open" syscall between kernel 4.4 and 4.9 means that
the "create" action is now checked and makes system_server trigger
an SELinux denial when PackageSettings is removing a user ID from
Settings.java/writeKernelRemoveUserLPr() in PackageManager.

Bug: 70150770
Test: Manual
- Add a new user on the device, no need to perform setup.
- Wait 30s
- Remove the added user
- While running, check the result of:
    adb logcat -v time -b events | grep audit | grep system_server
Change-Id: I1f490ea95d5bcb2adc76cba041bffbea131b447a

Bug: 69390067
Test: build sepolicy
Test: 27.0.ignore.cil is a subset 26.0.ignore.cil
Change-Id: I6b9a1cfa8b38df4e97e5d63e2938ee9d5a4c83ec

reboot_data_file was already removed from 26.cil by aosp/505397

Bug: 69390067
Test: build sepolicy
Change-Id: Ieff68cbdaf5b0ddc02d0d3e463765ba3716994ba

Since we now call patchoat --verify in zygote art loading code, we have
the unintended effect of webview zygote calling patchoat --verify. This
is undesireable since webview zygote doesn't need to verify the .art
files after the app_process zygote has already done so. The exec of
patchoat fails for webview zygote, and this change hides that. This
change should be reverted when b/72957399 is resolved.

Bug: 66697305
Test: Ensure no new selinux denials were introduced.
Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8

This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

Bug: 71527305
Test: compile and boot
Change-Id: I91097bd62d99b8dd9eb6f53060badbaf0f4b8b4a
(cherry picked from commit 1aedf4b5)

This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot bullhead/taimen
Change-Id: Iea2210c9c8ab30c9ecbcd8146f074e76e90e6943

Test: Standard Traceur workflow works successfully with no
selinux denials on a user build.
Bug: 64762598
Change-Id: I0dfe506d463b63d70c5bda03f8706041ea7ab448

This should fix presubmit tests.

Bug: 72749888
Test: Built policy.
Change-Id: Ie55127f1b570832c03878d1c697262239ac14003

This reverts commit 9aa8496f.
Fix angler/bullhead boot failure.

Bug: 72787689
Test: build
Change-Id: I77671a74cd952544a1dbb3daabc2bb449a7c2cf2

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.

Change-Id: Iddbcd05501d360d2adc4edf8ea7ed89816642d26

This should fix presubmit tests.

Bug: 72811052
Test: Built policy.
Change-Id: Ifcfe71c717a3b1e59cd1810c7f9be588d48c99a5

Need use 'nonplat_service_contexts_file' as the file context for
/vendor_service_context on non full-treble device.
Otherwise, servicemanager can't read the file.

Bug: 72787689
Test: build
Change-Id: Ib54e4f2501c7bbf8b397eacf4afadfae344ddd03

command to fetch data from shell.

Bug: 72502621
Test: N/A
Change-Id: I5b581f647c2f2932f0e3711965b98351ef7e6063

This should fix presubmit tests.

Bug: 72749888
Test: Built policy.
Change-Id: I588bba52d26bcc7d93ebb16e28458d9125f73108

This change renames the non-platform sepolicy files on a DUT from
nonplat_* to vendor_*.

It also splits the versioned platform sepolicy from vendor_sepolicy.cil
to a new file /vendor/etc/selinux/plat_pub_versioned.cil. And only keeps
vendor customizations in vendor_sepolicy.cil.

Build variable BOARD_SEPOLICY_DIRS is also renamed to
BOARD_VENDOR_SEPOLICY_DIRS.

Bug: 64240127
Test: boot an existing device
Change-Id: Iea87a502bc6191cfaf8a2201f29e4a2add4ba7bf

Bug: 62940136
Test: read /dev/v4l-touchX from inputflinger

Change-Id: Ifcece4192c567e0cbaba1b7ad40d25c8f34f8e40

Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.

Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.

Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13

Bug: 72668919
Test: build
Change-Id: Id156b40a572dc0dbfae4500865400939985949d9

Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102

This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7

vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6

Instead of having statsd linking the perfetto client library
and talk directly to its socket, we let just statsd exec()
the /system/bin/perfetto cmdline client.

There are two reasons for this:
1) Simplify the interaction between statsd and perfetto, reduce
  dependencies, binary size bloat and isolate faults.
2) The cmdline client also takes care of handing the trace to
  Dropbox. This allows to expose the binder interaction surface
  to the short-lived cmdline client and avoid to grant binder
  access to the perfetto traced daemon.

This cmdline client will be used by:
 - statsd
 - the shell user (for our UI and Studio)

Bug: 70942310
Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283

This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39

The exception for vendor_init in this neverallow was never needed.

Bug: 62875318
Test: Build walleye, bullhead
Change-Id: Iac2b57df30b376492851d7520994e0400a87f1e1