Newer kernels apparently introduce a new SELinux label
"netlink_generic_socket".

AOSP is missing some patches for ioctl whitelisting and
it was suggested we add unpriv_socket_ioctls as a stopgap.

Bug: 31226503
Change-Id: Ie4dd499925f74747c0247e5d7ad0de0f673b5ed2

This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496

am: c8820d04  -s ours

Change-Id: I7a9086cbd781d8e4450564f6c7c1697fd14643f6

am: 3dfef1fd  -s ours

Change-Id: Ia0adf841c0b37647c27fe31b805abcf3cff4d62c

am: fe8d6739  -s ours

Change-Id: I199ff6989c4acceb1878062ce9086ad9da6444b2

(cherry picked from commit 48d68a64)

Remove audit messaged.

Addresses:
avc:  granted  { read } for  pid=1 comm="init" name="cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file
avc:  granted  { read open } for  pid=1 comm="init" path="/proc/cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 28760354
Change-Id: I48ea01b35c6d1b255995484984ec92203b6083be

(cherry picked from commit 8486f4e6)

Grant observed permissions

Addresses:
init
avc:  granted  { use } for  pid=1 comm="init" path="/sys/fs/selinux/null" dev="selinuxfs" ino=22 scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=fd

mediaextractor
avc: granted { getattr } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read } for pid=582 comm="mediaextractor" name="meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file

uncrypt
avc: granted { getattr } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } for pid=6750 comm="uncrypt" name="fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Change-Id: Ibd51473c55d957aa7375de60da67cdc6504802f9

* changes:
  Allow wificond to drop privileges after startup
  Allow wificond to set interfaces up and down
  Allow wificond to clean up wpa_supplicant state
  Allow wificond to drop signals on hostapd
  Give wificond permission to start/stop init services
  Give hostapd permissions to use its control socket
  Allow wificond to write wifi component config files
  add netlink socket permission for wificond
  SEPolicy to start hostapd via init
  Allow system_server to call wificond via Binder
  Allow wificond to mark interfaces up and down
  Separate permissions to set WiFi related properties
  Define explicit label for wlan sysfs fwpath
  sepolicy: Add permissions for wpa_supplicant binder
  sepolicy: add sepolicy binder support for wificond
  Sepolicy files for wificond

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

am: 163c6080

Change-Id: Ia7e00dda7fea4e58c450c50ab7fd5fc709ebaa3e

(cherry picked from commit e8a53dff)

With the breakup of mediaserver, distinguishing between
camera_device and video_device is meaningful. Only grant
cameraserver access to camera_device.

Bug: 28359909
Change-Id: I0ae12f87bac8a5c912f0a693d1d56a8d5af7f3f3

am: 4e6655b5

Change-Id: I13896b6e919f8bd10573aa085bf73998e28f8661

isolated_app can already write to a file. Apps may want to append
instead of write.

Fixes: 30984610
Change-Id: I7a90b3311dcaff597f07930ceea0a23b29b0df2d

am: 47b373af

Change-Id: I58b6e0b40662e3fa5c771300f443d32cc40df3a3

wificond will now change user/group to wifi/wifi after
taking control of a particular path in the sysfs.

Bug: 29870863
Change-Id: I9ccb23f60a66d6850f3969c364288f8850044fed
Test: wificond unit and integration tests pass
(cherry picked from commit 8a04a313)

This is apparently a privileged ioctl.  Being able to do this allows us
to no longer kill hostapd with SIGTERM, since we can cleanup after hard
stops.

Bug: 31023120
Test: wificond unit and integration tests pass

Change-Id: Icdf2469d403f420c742871f54b9fb17432805991
(cherry picked from commit ca7b04ba)

system_server communicates with wpa_supplicant via various control
sockets.  Allow wificond to unlink these sockets after killing
wpa_supplicant.

Bug: 30666540
Change-Id: Ic1419a587f066c36723c24518952025834959535
(cherry picked from commit ba96cd1c)

Stopping hostapd abruptly with SIGKILL can sometimes leave the driver
in a poor state.  Long term, we should pro-actively go in and clean up
the driver.  In the short term, it helps tremendously to send SIGTERM
and give hostapd time to clean itself up.

Bug: 30311493
Test: With patches in this series, wificond can cleanly start and stop
      hostapd in integration tests.

Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8
(cherry picked from commit 762cb7c4)

Bug: 30292103
Change-Id: I433f2b8cc912b42bf026f6e908fd458a07c41fc2
Test: Integration tests reveal wificond can start/stop hostapd.
(cherry picked from commit 1faa9c55)

Bug: 30311493
Test: hostapd starts and stops reliably without complaining about
      permission to create the control directory, the control socket,
      or write to the control socket.

Change-Id: If8cf57cce5df2c6af06c8b7f28708e40876e948c
(cherry picked from commit cbabe363)

We need the ability to set file permissions, create files, write
files, chown files.

Test: integration tests that start/stop hostapd and write its config
      file via wificond pass without SELinux denials.
Bug: 30040724

Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c
(cherry picked from commit f83da142)

 wificond: type=1400 audit(0.0:43): avc: denied { create } for
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

 wificond: type=1400 audit(0.0:44):
 avc: denied { setopt } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:45):
 avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=capability permissive=1

 wificond: type=1400 audit(0.0:46):
 avc: denied { bind } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:47):
 avc: denied { write } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:48):
 avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

TEST=compile and run

Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43
(cherry picked from commit 781cfd82)

While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.

Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.

Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f85)

WifiStateMachin: type=1400 audit(0.0:24): avc: denied { call } for
scontext=u:r:system_server:s0 tcontext=u:r:wificond:s0 tclass=binder
permissive=0

Bug: 29607308
Test: Above denial disapears

Change-Id: I9b5cfe414683991ffb6308eea612ca6750f1b8ec
(cherry picked from commit 71fb20be)

avc: denied { create } for scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0

avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=capability permissive=0

avc: denied { read } for name="psched" dev="proc" ino=4026535377
scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file
permissive=0

Test: fixes above avc denials
Bug: 29579539

Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b
(cherry picked from commit b6a6561d)

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
(cherry picked from commit 1ebfdd6a)

avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994
(cherry picked from commit 7d13dd80)

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
(cherry picked from commit 18883a93)

This allows wificond to publish binder interface using
service manager.

Denial warnings:

wificond: type=1400 audit(0.0:8): avc:
denied { call } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

wificond: type=1400 audit(0.0:9): avc:
denied { transfer } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

servicemanager: type=1400
audit(0.0:10): avc: denied { search } for name="6085" dev="proc"
ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=dir permissive=1

servicemanager: type=1400
audit(0.0:11): avc: denied { read } for name="current" dev="proc"
ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=file permissive=1

servicemanager: type=1400
audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current"
dev="proc" ino=40641 scontext=u:r:servicemanager:s0
tcontext=u:r:wificond:s0 tclass=file permissive=1

servicemanager: type=1400
audit(0.0:13): avc: denied { getattr } for
scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process
permissive=1

SELinux : avc:  denied  { add } for
service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0
tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1

BUG=28867093
TEST=compile
TEST=use a client to call wificond service through binder

Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f
(cherry picked from commit d56bcb1c)

This sepolicy change allows wificond to run as a deamon.

BUG=28865186
TEST=compile
TEST=compile with ag/1059605
  Add wificond to '/target/product/base.mk'
  Adb shell ps -A | grep 'wificond'

Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d
(cherry picked from commit 4ef44a61)

Give debug versions the same rights as non-debug versions for
ART.

Change-Id: I9906d100c3857c3a87344ff37aabc53107562c61

am: f247dcba

Change-Id: Ie24129d68ee32fe0178dd0fe4aea4208e72f050f

Bug: 28746284
Change-Id: I59aa235ecba05e22aaa531e387a77f47267ac9ae

am: a67411c9

Change-Id: If2ab59c09b2ccf444281fdf9003e36119eb7295f

Bug: 28746284
Change-Id: Ib5e294402c549d8ed6764722220484c5655951a9

Ports check_seapp to pcre2.

Change-Id: If3faac5b911765a66eab074f7da2511624c3fc97