Bug: 73354384
Test: manual
Change-Id: Iaaeded69c287eae757aaf68dc18bc5a0c53b94e6

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Change-Id: I891a0209be981d760a828a69e4831e238248ebad

This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed
(cherry picked from commit dce07413)

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d0)

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb)

Bug: 74182216
Change-Id: Ia1c6b67ac93ed6e88c50c1527b48275365bf5fd5
Test: build policy

This reverts commit 4e79b64e.

Reason for revert: broke something internal

Change-Id: Iec5f2c17fc768424c0b82936a069e42de0b66555

Access to these files was removed in Oreo. Enforce that access is not
granted by partners via neverallow rule.

Also disallow most untrusted app access to net.dns.* properties.

Bug: 77225170
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I85b634af509203393dd2d9311ab5d30c65f157c1

These denials occur fairly often, causing some logspam.

Bug: 77225170
Test: Boot device.
Merged-In: Icd73a992aee44007d0873743f706758f9a19a112
Change-Id: Icd73a992aee44007d0873743f706758f9a19a112
(cherry picked from commit a66d1a45)

Bug: http://b/73140330
Test: boots
Change-Id: I8fd27c6eb8c99870cb77019ae06bdb46a934ffc9

Bug: 74182216
Test: build policy
Change-Id: Ice800c571e9be469dffa212c478c10e63b80deca

We only need this change for aosp devices. Internal sepolicy for healthd
domain is different and does not need this.

Addresses this denial:
avc: denied { open } for path="/sys/class/power_supply" dev="sysfs"
ino=25340 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=1

Test: $OUT/vendor/etc/selinux/precompiled_sepolicy contains the new
permission.
Change-Id: Ie47c231af800026fd9d8a1f752253bb338768c13

The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.

Test: Device boots and no more denials when call back is delivered to
      apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a

Give statsd rights to connect to perfprofd in userdebug.

Test: mmma system/extras/perfprofd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd

A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4

Use the user policy when running the compatibility tests.

Bug: 74344625
Test: Built policy for many devices.  Booted one device.
Test: Delete some compat rules, verify error on userdebug.
Change-Id: Ib2df2dfc06cdf55a839011e9a528e76160a9e436

Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
(cherry picked from commit cc0304cf)

Verify that the SELabels used in property_contexts correspond to a
real type in the SEPolicy and that this type has the property_type attribute.

Additionally add a check that vendor property_context files do not
duplicate entries in plat property_contexts, and a similar check that
odm property_contexts doesn't duplicate either plat or vendor
property_contexts.

Bug: 74078792
Test: Build property_contexts on bullhead successfully
Test: See failure when using a faulty SELabel in property_contexts
Test: See failure when duplicating label in vendor and plat property_contexts
Change-Id: I4d2338dab68f1c5a8ed110aa7821f0677f61bafb

This reverts commit 6f2040f8.

Reason for revert: not needed anymore after ag/3773705
This was meant to allow system_server toggling the property on/off.
Later we realized that we needed a separate property for that 
(see discussion in b/76077784) and system server happens to
have already permissions to write to sys.* properties even without
this CL.
Reverting because at this point this creates just unnecessary clutter.

Change-Id: Ia73d000aad3c4288a5652047dfe10896e231b0b1
Test: perfetto_integrationtests
Bug: 76077784

This allows an optimization that consists in the "perfetto" cmdline
client passing directly the file descriptor for the output trace
to traced (as opposite to having traced streaming back the trace
data to "perfetto" and having that one doing the write() into file).
This reduces sensibly the memory traffic and CPU overhead of traces
with a minor change.

Bug: 73625179
Test: builds + perfetto_integrationtests w/ long_trace.cfg
Change-Id: I81f5a230338ced20dc543fd91c5a0bd0e58725f2

The permission to allow system_server to access sys/fs/bpf/ directory
is missing. Add it back so it can get the bpf maps from the bpf_fs.

Test: device boot and no more denial information of system_server try to
searcg in fs_bpf
      atest android.net.cts.TrafficStatsTest
Bug: 75285088

Change-Id: I1040cde6c038eccc4e91c69a10b20aa7a18b19f6

Types in sysfs should have the sysfs_type attribute, types in
debugfs and tracefs should have the debugfs_type attribute.

TODO: Test that files in procfs have the proc_type attribute.
TODO: Assert these tests in CTS.

Bug: 74182216
Test: build - these are build-time tests.
Change-Id: Icf0ff2a26c05f94da421ba23df0b92d8eef906bf