Test: tested with default health HAL on angler running as service.
Bug: b/32754732

Change-Id: Ie0b70d43cb23cd0878e1b7b99b9bebdbd70d17c7
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit ef62fd91)

- allows binder calls to hwservicemanager
- allows healthd to read system_file for passthrough HAL

Test: Tested healthd with and without a board specific health HAL on
Angler.

Bug: b/32724915

Change-Id: Icf621859f715cb44bce5d8d3b60320ef495d1543
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 32cacb42)

healthd is being split into 'charger' and 'healthd' processes, that
will never run together. 'charger' is to be run only in charge-only
and recovery, while healthd runs with Android.

While they both share much of battery monitoring code, they both now
have reduced scope. E.g. 'charger', doesn't need to use binder anymore
and healthd doesn't need to do charging ui animation. So, amend the
SEPolicy for healthd to reduce it's scope and add a new one for charger.

Test: Tested all modes {recovery, charger-only, android} with new policy

Change-Id: If7f81875c605f7f07da4d23a313f308b9dde9ce8
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit c73d0022)

To support upcoming disk usage calculation optimizations, this change
grants installd access to work with filesystem quotas.

avc: denied { search } for name="block" dev="tmpfs" ino=15279 scontext=u:r:installd:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=1
avc: denied { quotaget } for scontext=u:r:installd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=1

Test: builds
Bug: 27948817
Change-Id: Ic166e8ced30e15ce84223576729888a824037691

Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710

Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d

Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702

Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2

There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.

Bug: 26901147

Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec

Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>

Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579

The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb

* changes:
  hal_wifi: Allow HAL to reload wifi firmware
  hal_wifi: Allow system_server to access wifi HIDL services

Sdcardfs does not use a userspace daemon, so the secontext
is currently the caller's when accessing files. This can be
removed if sdcardfs is modified to change the secontext before
calling into the lower filesystem.

Bug: 32735101
Test: Run any app that falls under isolated_app.
Test: See bug for example
Change-Id: I9433aa0f14ff0d5a518249079e07f57e55b09bcf

Also move necessary priv_app permissions into MediaProvider domain and
remove MediaProvider specific permissions from priv_app.

The new MtpServer permissions fix the following denials:

avc: denied { write } for comm=6D747020666673206F70656E name="ep0" dev="functionfs" ino=12326 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1

denial from setting property sys.usb.ffs.mtp.ready, context priv_app

Bug: 30976142
Test: Manual, verify permissions are allowed
Change-Id: I4e66c5a8b36be21cdb726b5d00c1ec99c54a4aa4

Need write permissions on the specified sysfs path for reloading
firmware.

Denials:
01-21 23:39:01.650  4669  4669 W android.hardwar: type=1400
audit(0.0:103): avc: denied { write } for name="fwpath" dev="sysfs"
ino=6847 scontext=u:r:hal_wifi:s0
tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0
01-21 23:39:01.653  4669  4669 E android.hardware.wifi@1.0-service:
Failed to open wlan fw path param: Permission denied

Bug: 32018162
Test: Denials no longer present in the logs.
Change-Id: I1a468e7c2a2a4360a2b61f04f1940471d52d0dd6

We're going to be using Android framework directly to invoke Wifi HIDL
calls. So, change permissions appropriately.

Bug: 33398154
Test: Verfied that framework is able to make HIDL calls using
go/aog/310610.

Change-Id: I4d0d88961753ad73f3876aec58b26b89486cc02a

Add a pre-submit check to ensure that files have a newline character at
the end.

Please see https://android.googlesource.com/platform/tools/repohooks/
for documentation on how PREUPLOAD hooks work.

Test: created a change and watched the presubmit check reject it.
Change-Id: Id0528cb1bd6fa9c4483ba43720839832f4fec34d

This is unused by core policy and by any device policy except for hikey.

Test: device boots
Test: no denials ever collected
Change-Id: I36a6790499e4aeedd808457b43fd72370fa48e53

Because I'm nitpicky.

Test: policy compiles
Change-Id: I4d886d0d6182d29d7b260cf1f142c47cd32eda29

Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23

Remove domain_deprecated and add denials picked up by log collection.

Addresses the following auditallow messages:

  avc: granted { search } for comm="debuggerd" name="arm" dev="sda35"
  ino=57521 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=dir

  avc: granted { read } for comm="debuggerd"
  path="/data/app/dji.pilot-Z6Q2X6YjYNN2Ag8otZTCdg==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57854 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { getattr } for comm="debuggerd64"
  path="/data/app/com.google.android.youtube-2/lib/arm64/libcronet.so"
  dev="sda35" ino=1384657 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { read open } for comm="debuggerd"
  path="/data/app/dji.pilot-We9wJivxEqhzfdtQrNFvaA==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57575 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I1ae6203e37ddd4a19551d8063d26071ac20f2f3e

After a series of recent commits, installd has fully migrated over
to Binder, and all socket-based communication has been removed.

Test: builds, boots, apps install fine, pre-OTA dexopt works
Bug: 13758960, 30944031
Change-Id: Ia67b6260de58240d057c99b1bbd782b44376dfb5

app_domain was split up in commit: 2e00e637 to
enable compilation by hiding type_transition rules from public policy.  These
rules need to be hidden from public policy because they describe how objects are
labeled, of which non-platform should be unaware.  Instead of cutting apart the
app_domain macro, which non-platform policy may rely on for implementing new app
types, move all app_domain calls to private policy.

(cherry-pick of commit: 76035ea0)

Bug: 33428593
Test: bullhead and sailfish both boot. sediff shows no policy change.
Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665