Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c

Only untrusted apps had privilegs to read file descriptors passed in
from traceur, which was an oversight. This fixes the policy so that priv
apps can also access file descriptors from traceur in order to read
reports shared from traceur.

Bug: 74435522
Test: better bug has access to reports shared from traceur
Change-Id: I591872cdac31eec62edbc81d95f1220f1152427f

Provide read/write access to audioserver for Bluetooth
properties used with A2DP offload.

Bug: 68824150
Test: Manual; TestTracker/148125
Change-Id: I40c932d085ac55bc45e6654f966b2c9d244263d0
(cherry picked from commit 041049bc7a4e29dcca48e2c068b92aa8a8157d90)

Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8bf14466b6431a21bc5ccd4bf6ca3ea)

This reverts commit 016f0a58.

Reason for revert: Was temporarily reverted, merging back in with fix.

Test: Basic telephony sanity, treehugger
Bug: 74486619
Bug: 36427227
Merged-in: Ide68726a90d5485c2758673079427407aee1e4f2
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2
(cherry picked from commit 312248ff)

This reverts commit aed57d4e.

Reason for revert: This CL is expected to break pre-submit tests (b/74486619)

Merged-in: I103c3faa1604fddc27b3b4602b587f2d733827b1
Change-Id: I0eb7a744e0d43ab15fc490e7e7c870d0f44e1401

Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Merged-in: If892b28416d98ca1f9c241c5fcec70fbae35c82e
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e

This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
(cherry picked from commit 2995e996)

Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
(cherry picked from commit f3f93eaf)

Sub directories under /odm (or /vendor/odm when there isn't an odm
partition) are labeled so that artifacts under the sub directories are
treated the same as their counterpart in the vendor partition.

For example, /odm/app/* is labeled as vendor_app_file just like
/vendor/app/*.

Bug: 71366495
Test: m -j

Change-Id: I72a14fd55672cd2867edd88ced9828ea49726694

Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce

This reverts commit 54a86e2b.

Reason for revert: Broke user builds, see go/twqpd

system/sepolicy/private/traced_probes.te:46:ERROR 'unknown type atrace' at token ';' on line 34879:
# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
allow atrace traced_probes:fd use;
checkpolicy: error(s) encountered while parsing configuration
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf

Change-Id: I24440e1928700530b63b70b658c63046cdcdc5de

ADB is being separated from USB service since it's not tied to the USB
transport. This duplicates the usb_service's settings to adb_service for
this purpose.

Bug: 63820489
Test: make
Change-Id: Idbcfbe470d7568f9cba51f0c8d4a8ee9503db93d

Bug: 72177715
Bug: 72384374
Test: flash device and make sure incidentd is getting data without SELinux denials
Change-Id: I684fe014e19c936017a466ec2d6cd2e1f03022c0

With the new patches backported to 4.9 kernels, the bpf file system now
take the same file open flag as bpf_obj_get. So system server now need
read permission only for both bpf map and fs_bpf since we do not need
system server to edit the map. Also, the netd will always pass stdin
stdout fd to the process forked by it and do allow it will cause the
fork and execev fail. We just allow it pass the fd to bpfloader for now
until we have a better option.

Test: bpfloader start successful on devices with 4.9 kernel.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
Bug: 74096311
Bug: 30950746

Change-Id: I747a51cb05ae495c155e7625a3021fc77f921e0d

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb

This CL adds the SELinux permissions required to execute
atrace and get userspace tracing events from system services.
This is to enable tracing of events coming from surfaceflinger,
audio HAL, etc.
atrace, when executed, sets a bunch of debug.atrace. properties
and sends an IPC via binder/hwbinder to tell the services to
reload that property.

Change-Id: I2b0a66dcb519cb296e1d0e6e3f15a425dc809089
Bug: 73340039

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

avc: denied { getattr } for path="/vendor/framework"
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=dir

Bug: 68826235
Test: boot Taimen, verify denials no longer occur.
Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88

Now that Bluetooth supports delay reporting, audioserver needs
access to Bluetooth Properties in order to determine whether the
feature is enabled or disabled.

Bug: 32755225
Test: Enable the property and see that there was no error accessing it
Change-Id: I519d49deb2df4efb3cc2cce9c6d497db18b50c13

Remove a fixed bug from bug_map.

Bug: 73068008
Test: Built policy.
Change-Id: Id0072788953cb6b939a11caace0158da7799f540

Updates statsd sepolicy so it can use the thermal hal.

Test: verified these policies solved sepolicy issues with thermal hal.
Change-Id: I36839a72494b084d5742c4d83c3ce9814102b974

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I19252eb743e6527cbe262b1e066a3f67f7186994

These two selinux policy violations keep showing up from statsd's CTS
tests, although statsd and the CTS test seemed to function fine despite
them. Nonetheless, they seem reasonable to add to the list.

Bug: 73548694
Test: N/A. It didn't seem to be causing any issues in the first place.
Change-Id: Id36c5229c0d7de83675166caeb07c87b719dc374

Relevant denies:

[    2.560660] type=1400 audit(1519404055.529:9): avc: denied { read }
for pid=896 comm=traced_probes name=system dev=sda22 ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Allowing only read then gives:
[    2.554718] type=1400 audit(1519404863.506:9): avc: denied { open }
for pid=890 comm="traced_probes" path="/system" dev="sda22" ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Test: flashed and ran directory listing code.
Bug: 73625480

The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08

This required for kernel to do loopback mounts on filesystem
images created by the kernel system call tests in LTP.

Add a corresponding neverallow to stop all domains from accessing
the location at /data/local/tmp/ltp.

Bug: 73220071
Test: Boot sailfish successfully
Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04

Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 73720684
Bug: 73720684
Test: m
Test: BootTest on taimen
Change-Id: I5a58fd1cce568cc50ba791f445f5c148eb87b474

The previous selinux rules obtained via audit2allow didn't really
work with the case of apps connecting to the producer socket,
despite all the allow rules being correctly in place.
This was failing our CTS tests.

The reason for the failure (see denials pasted below) is due to
Multi Level Security (for multi-user), which was still preventing
apps form a different level to connect to the traced producer
socket and write to the shmem buffers they get passed back.
This CL tags the objects being accessed as mlstrusted.
CTS tests pass with this CL.

Denials:
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" name="traced_producer" dev="tmpfs" ino=23629 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { connectto } for pid=8545 comm="traced_probes" path="/dev/socket/traced_producer" scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:r:traced:s0 tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=8545 comm="traced_probes" path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=104483 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Change-Id: I1598bc0b07bf39b8d0420b66caf06a4ca884f383
Bug: 73340039
Test: CtsPerfettoTestCases

Bug: 73660835
Test: With the other commit on this topic, clearing all trace files via
the app works properly.

Change-Id: I27a4a5a14d9afe817683f1b046a644648a84badc

To upload configs and download output, this line
is needed.

Bug: 72961153
Test: The statsd cts test passes
Change-Id: I0943cc841881dd5d15e24ba444b146087a81bf96

This reverts commit bf0c2a59.

Bug:68126425
Test: No apps affected by not being able to run in shell domain
Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4
Merged-In: I8b93eecd023fbb392a98253d721dad75f79b61f4

This is to allow to leave audit trails in dmesg to cross-correlate
kernel panics with perfetto ftrace activity.

Bug: 73340039
Change-Id: I575a537553adc75378783c37c84350581250614d

These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c

In this architecture, the system_server instructs the zygote to fork a
child-zygote to be the webview_zygote. The system_server tells this new
zygote to listen for fork requests on a random abstract unix socket of
its choosing.

A follow-up CL will remove the rules for starting webview_zygote via
init.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I864743943c11c18de386010ecd4b616721cb9954
Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e

CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

This should fix presubmit tests.

Bug: 68319037
Test: Built policy.
Change-Id: I0c3bc08c9b114e7a3737cdb3005fb59b2df47d55

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5

This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca