am: 0e0ed156

Change-Id: Ic73d84dacc95d5b902dc6c9530b98e53d71574f1

am: 6351c374

Change-Id: I16cbe7b654532367829a0df2dcfa929c38e547fd

This reverts commit 57e9946f.

Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
    not break.

Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 3e307a4d

Change-Id: I90e567c8138fa75bf792af181890d0af627b6f48

The tetheroffload hal must be able to use network sockets as part of
its job.

Bug: 62870833
Test: neverallow-only change builds.
Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7

Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832

am: 330d4477

Change-Id: Ice6c84f53d50b7fa987ea4e7259ecda4c64673aa

This is to Allow commands like `adb shell run-as ...`.

Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
(cherry picked from commit 1847a38b)

am: 6e46ccdf

Change-Id: I5241333ec9099c7db3154cfcdb41003c65e235a0

am: 3b7d9e49

Change-Id: I5f12ae2d4c00efe648d1eecbe8a322de93e6447d

run-as uses file descriptor created by adbd when running
`adb shell -t run-as xxx`. It produces audit warnings like below:

[ 2036.555371] c1    509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd

Bug: http://b/62358246
Test: test manually that the warning disappears.
Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb

am: 58d0d1e4

Change-Id: Ia53beb365c39d501c9d6cd53a4cb72dec14b610b

am: b5aeaf6d

Change-Id: Ibcf17f7bbea4923abc5d1713227568bb35c6674b

This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762

am: 3692b318

Change-Id: Ide1a5455e2b279ac1532bbdb88e852dba3ee2b28

am: d3381cd9

Change-Id: Iaabe00cb6e919b4e35896c0d9ef1770aee3b2363

* changes:
  build: run neverallow checks on platform sepolicy
  radio: disalllow radio and rild socket for treble devices

am: 04306859

Change-Id: I3eb542cced980ce94425110d8dc8e58aeb122607

am: 2122f1fe

Change-Id: I05f0b28b9e6622477fe2fa4b041ea03c5744f82c

am: e9381d5e

Change-Id: Ic2192d5128543f28d2f91c4aedabab08b01669e5

Now that we're expected to use this when taking traces, we need to add
this permission so that Traceur can also access this file.

Test: Used Traceur and saw the traces appear in the bugreports
directory, as expected.
Bug: 62493544

Change-Id: Ib4304176abbb51e2e3b45c566ff14574e1cfaa82
Merged-In: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53
(this merged-in is not the same change; it's a conflicting change in
master)

This will prevent us from breaking our own neverallow rules
in the platform sepolicy regardless of vendor policy adding
exceptions to the neverallow rules using "*_violators" attributes

Bug: 62616897
Bug: 62343727

Test: Build policy for sailfish
Test: Build policy with radio to rild socket rule enabled for all
      and ensure the build fails

Change-Id: Ic66ec3e10c76a7c9a17669e0d3deb3a1c7b00809
Signed-off-by: Sandeep Patil <sspatil@google.com>

This violates the socket comms ban between coredomain (radio) and
non coredomain (rild) in the platform policy.

Bug: 62616897
Bug: 62343727

Test: Build and boot sailfish

Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 5ee87b00

Change-Id: Id2dc995f88a60fe865387453234e3630a9975381

am: abb1ba65

Change-Id: I7765bfd350deb50847e83a1d3b5d7399206b4b9d

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570

am: b236eb6c

Change-Id: I60a92781a5b923889e627d73e8922aca2607b67b

[    7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)

Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
    and recovery modes

Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35

am: 7a68c5ae

Change-Id: Ide9c5ccdc2002972f311c9829c573b98f12fea44

This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275

This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1

am: edcfb2e1

Change-Id: I86565448fa4d5ccd412772825decb5dc62cd6343

am: 06486796

Change-Id: Ia575329a0d4e83ff0d3a70b30ad3ef7e026c42f1

This broke the build on master. See b/17613910#comment17
for details.

This reverts commit ef1fd98b.

Change-Id: I11f7d463061a9b6340c11827135586266e26f016