am: d5931d97

Change-Id: Ic4eb8ed411864915d479c8a520a14119c818f196

am: 7dc46564

Change-Id: I104adbce8a2392377b18f1ffc24d591724d5d3db

am: 6a28b68d

Change-Id: I774787b48c0b5f6f20313ee6f9c8062db4072e84

Commit 7688161c "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug

Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc

am: da071ea1

Change-Id: I6b400fd0996c103c98bb6f6c00c6ef58cd83d566

am: 5a30dc36

Change-Id: I5e5a7d55814a03d9e4cd8da851856be2bbbb14f0

am: 4fbbd147

Change-Id: I304c54a480b150a8c910f268ccf84869dfb7e3f5

am: c151962e

Change-Id: I819cbfdc586651c5f7ba64aedb6a66432ad174da

am: 4fb7f127

Change-Id: Id5194fd7303fbc43d9139fd56d438b66805f3ab4

am: 0629dedc

Change-Id: I576b7b98ba147c97a992ea3c65239060c4cec51e

Remove a number of SELinux rules which were required to support file
based OTA. After this, we can have a much stronger assertion that files
on /system are immutable. Tighten up the neverallow rules at the same
time.

Bug: 35853185
Bug: 15575013
Test: adb reboot recovery && adb sideload [file]
Change-Id: I4238d17808bed6a81f47e14eb1797496c07642e2

am: 5b295d30

Change-Id: I0f18c8fd43bfbce55c883f35ef27499c840e0ca0

am: 54242ffa

Change-Id: I3879dd096cddf7dbf8e3a83b2a708ed14ff334b5

am: 18cb4dae

Change-Id: Ibbaef489e45195aa105b6df09bb7378481ab2d06

am: 7a1af958

Change-Id: I19c63133e7ecf5dbbb9feeac9efc72d627448af2

am: 51aba79e

Change-Id: If96c3cc3609531b26fd08eeccfd270c0aaf9400c

am: cd69bebf

Change-Id: I6f3c20144c971d5040ee325e8bc0e9cff70085a0

This reverts commit ed876a5e.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4

am: 32663d46

Change-Id: I17de5133481362dc5d8d102745c31fc8b0e797cd

am: c76a25c1

Change-Id: Id19c777177f6fa76ced96986017aa83000bca002

am: ed876a5e

Change-Id: Ic41e1b997968acfd68ade6e9b9901a4dd9b8d2d2

Commit 7688161c "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e

am: 44957a90

Change-Id: I363639d2cdf70b1772da3d6c7f7c814554063dfc

am: d41e6161

Change-Id: I334e4579f1ca0543a2f98b60537afa4325d3ab6f

am: b9ea282c

Change-Id: I77676d7adb39747b9195489ef83d72e57cdb3b59

Test: build
Bug: 63710530
Change-Id: I85cddfaf3ec004165040935f8723e9eed0ef7900

am: 496f9461

Change-Id: I9b2548e2116deac8960b57878b41ad14aea05523

am: 246b8071

Change-Id: I24fc854f684cc19a2af7fef367970f6dd7be6d3b

am: 11c5700f

Change-Id: I10a19ad706d053e1a7a8e9f5d07d7c30aad0a053

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

Bug: 69175449
Bug: 69197466
Test: build
Change-Id: I11e46b65449cb6f451ecab8d4dff9adc162fe115

am: 06d0fdc9

Change-Id: Iffe0682a5c5035624a96025c122156eb276ce3ec

am: 063ad627

Change-Id: I8a0c87edb40473896bb304e09f81e187f9bac15b

am: df8d4b87

Change-Id: Ia617cd27b03de715772eb2d94205422ad8dfe745