Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80

am: 68266d06

Change-Id: I6d7f435636dc240da6cab0e0412ad84d90482848

am: a8a03c84

Change-Id: I1157c928baa664d196ef0c81741ef6ffd24ba9b2

This is a follow-up to cbc0d2bb which
introduced the typos.

Test: mmm system/sepolicy -- comments only change
Bug: 37640821
Change-Id: Ibe0eda0b3ee9bbfb1e33ef98f2e81267ec580e59

am: 406fbf50

Change-Id: I5a883b0b1bc35cebe19aebecd56cfb83b3661695

am: 53b2c809

Change-Id: I0b2d4db7bbd33abde41229d6e40a4a2ef1f89085

am: cadce81f

Change-Id: I0f9a0a628ae6b1c6833c297715a7a968b3e2546e

am: 7a1074d2

Change-Id: I2dc21f2e4cb0fee5f072779728bb0a9394915d08

Merge "Allow UDP Sockets to be returned from IpSecService" am: 327d7cb9 am: a9be5320 am: cda872a8
am: 21582f73

Change-Id: Ibdff9c87e73c47fc1909182a58f50fab59505d36

am: cda872a8

Change-Id: I364c5cc081f9c906e92844a9d456b78ae90a3895

am: a9be5320

Change-Id: Iee7069f192593f4b7588f8b6d272b1bef5fbd36c

am: 327d7cb9

Change-Id: Ie9399516244e38f0c5f57205fe9f0da35aec8ba7

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd

am: c29f6955

Change-Id: I30f34d3397d1e8868793785e1d9441ebdf312cff

am: 3f6b7ff0

Change-Id: I0639248d7f1e2ed1012a563c9b0b4db1fb651bb4

am: 3b130767

Change-Id: Ia3b0df9ebc90548e75ee0d416ae15360feb3cd41

am: f84989e5

Change-Id: I4391c7b44d495efadf39b8f14cfccfe2d966b419

am: 90b1abcc

Change-Id: I6650f12248ec07ec223026caca83d18de8d049fe

am: e5f4d874

Change-Id: Ibd9708b1db37e54946c856b7c52c1e1a7eb7c58d

Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc

am: 38f3692f

Change-Id: I0f20794644b2d5e8d7f01aebc84871c907028cd7

am: 7b021be4

Change-Id: I0e93aecc3b40a3d00bfdea354fe9a4987b28fabb

am: 4d71b96e

Change-Id: I363c0ce1fc27d560da94b857d54a5149467d56ba

This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640821
Change-Id: I28c27b369268e75ab6b2d27bcb30b88acb2732e6

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b

am: 2a7f4fb0

Change-Id: Ia77557e2ef5aa124cb0d4a9e5f05300005a97bfd

Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil    567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

am: 1b7326f2

Change-Id: I1c7a6faf592de4abba991fb6b5f49a94bf57578b

am: 1f02d0cd

Change-Id: Ia2959645ff42bcb8fbaf1309f4122871c42b066d