(cherry picked from commit 8cac2586)

More read rights are required now.

Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42

(cherry picked from commit d47c1e93)

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

(cherry picked from commit cf63957d)

This is needed in order to include profile files in bugreports.

Bug: 28610953
Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1

(cherry picked from commit ad5b4be3)

Required for using native audio in BootAnimation

Bug: 29055299
Change-Id: Ie75d35219be95a8dc697cc3c0384a4de90ea3478

* changes:
  fix build: exclude bluetooth from neverallow restriction
  Remove platform_app from neverallow execute from /data
  Rework neverallow for /data execute permission

This addresses error messages like:

11-30 18:00:15.196  6917  6917 W Binder:6596_2: type=1400 audit(0.0:46):
avc: denied { fowner } for capability=3 scontext=u:r:netd:s0
tcontext=u:r:netd:s0 tclass=capability permissive=0

11-30 18:00:15.200  6596  6917 E /system/bin/netd:
android::WriteStringToFile fchmod failed: Operation not permitted

11-30 18:00:15.200  6596  6917 E Netd    : failed to write to
/data/misc/net/rt_tables (Operation not permitted)

Bug: 31147892
Change-Id: Id11704f8e2b8c08db92de374ed44913b70d6ae66

Bluetooth is sometimes started from init.

Addresses the following compiler error:

  libsepol.report_failure: neverallow on line 489 of
  system/sepolicy/domain.te (or line 9149 of policy.conf) violated by
  allow init bluetooth:process { transition };
  libsepol.check_assertions: 1 neverallow failures occurred
  Error while expanding policy

(cherry-picked from commit 7e380216)

Change-Id: I2bc1e15217892e1ba2a62c9683af0f3c0aa16b86

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

(cherry picked from commit c55cf17a)

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711

(cherry picked from commit c5266df9)

Change-Id: I4adb58e8c8b35122d6295db58cedaa355cdd3924

No "granted" messages for the removed permissions observed in three
months of log audits.

Bug: 28760354
Change-Id: I7713a9ad9a1604b17119ecad4970e2aa46c15bd0

No "granted" messages for the removed permissions observed in three
months of log audits.

Bug: 28760354
Change-Id: I6bd9525b663a2bdad4f5b2d4a85d3dd46d5fd106

Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.

Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

Fix file diffs.

Change-Id: Iac673c718b49779bba380e75ddd083caf6a2a1c3

Bug: 31364540
Change-Id: I2e11ef4666048c94b4754d50de74d1c526c6933c

(cherry picked from commit 8f40b41e)

bug 24503801

Change-Id: I6cf1afb3982c4da4f5e57188d3e24ac01c4bd416

Bug: 31246864

Change-Id: I8319e632b3be1e558dfc550453b8298914c89064
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

Bug: 30041228
Test: WiFi tethering, client mode continues to function

Change-Id: I95a583ad4d57642f4731e415abb77732df5289ac
(cherry picked from commit fb5b13ee)

Bug: http://b/29622562
Change-Id: I21bc79f31ffd0b002b4a25d3ceefaf12f42f05c4

Newer kernels apparently introduce a new SELinux label
"netlink_generic_socket".

AOSP is missing some patches for ioctl whitelisting and
it was suggested we add unpriv_socket_ioctls as a stopgap.

Bug: 31226503
Change-Id: Ie4dd499925f74747c0247e5d7ad0de0f673b5ed2

This patch allows mips to boot in enforcing mode.

Change-Id: Ia4676db06adc3ccb20d5f231406cf4ab67317496

am: c8820d04  -s ours

Change-Id: I7a9086cbd781d8e4450564f6c7c1697fd14643f6

am: 3dfef1fd  -s ours

Change-Id: Ia0adf841c0b37647c27fe31b805abcf3cff4d62c

am: fe8d6739  -s ours

Change-Id: I199ff6989c4acceb1878062ce9086ad9da6444b2

(cherry picked from commit 48d68a64)

Remove audit messaged.

Addresses:
avc:  granted  { read } for  pid=1 comm="init" name="cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file
avc:  granted  { read open } for  pid=1 comm="init" path="/proc/cmdline" dev="proc" ino=4026535448 scontext=u:r:kernel:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 28760354
Change-Id: I48ea01b35c6d1b255995484984ec92203b6083be

(cherry picked from commit 8486f4e6)

Grant observed permissions

Addresses:
init
avc:  granted  { use } for  pid=1 comm="init" path="/sys/fs/selinux/null" dev="selinuxfs" ino=22 scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=fd

mediaextractor
avc: granted { getattr } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read } for pid=582 comm="mediaextractor" name="meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file

uncrypt
avc: granted { getattr } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } for pid=6750 comm="uncrypt" name="fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Change-Id: Ibd51473c55d957aa7375de60da67cdc6504802f9

* changes:
  Allow wificond to drop privileges after startup
  Allow wificond to set interfaces up and down
  Allow wificond to clean up wpa_supplicant state
  Allow wificond to drop signals on hostapd
  Give wificond permission to start/stop init services
  Give hostapd permissions to use its control socket
  Allow wificond to write wifi component config files
  add netlink socket permission for wificond
  SEPolicy to start hostapd via init
  Allow system_server to call wificond via Binder
  Allow wificond to mark interfaces up and down
  Separate permissions to set WiFi related properties
  Define explicit label for wlan sysfs fwpath
  sepolicy: Add permissions for wpa_supplicant binder
  sepolicy: add sepolicy binder support for wificond
  Sepolicy files for wificond

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303