am: 51aba79e

Change-Id: If96c3cc3609531b26fd08eeccfd270c0aaf9400c

am: cd69bebf

Change-Id: I6f3c20144c971d5040ee325e8bc0e9cff70085a0

This reverts commit ed876a5e.

Fixes user builds.
libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; 
libsepol.check_assertions: 1 neverallow failures occurred 
Error while expanding policy
Bug: 69566734
Test: build taimen-user
Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4

am: c76a25c1

Change-Id: Id19c777177f6fa76ced96986017aa83000bca002

am: ed876a5e

Change-Id: Ic41e1b997968acfd68ade6e9b9901a4dd9b8d2d2

Commit 7688161c "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.

Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.

Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
    remaining failure appears to be caused by b/68133473
Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e

am: d41e6161

Change-Id: I334e4579f1ca0543a2f98b60537afa4325d3ab6f

am: b9ea282c

Change-Id: I77676d7adb39747b9195489ef83d72e57cdb3b59

am: 246b8071

Change-Id: I24fc854f684cc19a2af7fef367970f6dd7be6d3b

am: 11c5700f

Change-Id: I10a19ad706d053e1a7a8e9f5d07d7c30aad0a053

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

Bug: 69175449
Bug: 69197466
Test: build
Change-Id: I11e46b65449cb6f451ecab8d4dff9adc162fe115

am: 063ad627

Change-Id: I8a0c87edb40473896bb304e09f81e187f9bac15b

am: df8d4b87

Change-Id: Ia617cd27b03de715772eb2d94205422ad8dfe745

Bug: 64831661
Test: adb shell cmd window tracing start && adb shell cmd window tracing stop
Test: adb shell su root dmesg | grep 'avc: '
Change-Id: I1578aac9e102246ec722c78a6e9efb5581259d81

am: 93760664

Change-Id: Ib76e6e19c62bd37e09568993aec0e00be2ef18e0

am: 9d9c370f

Change-Id: I9499a44812b32f7f2cde3d069722d442d21ad6da

Similar to the way we handle /dev/random and /dev/urandom, make
/proc/sys/kernel/random available to everyone.

  hostname:/proc/sys/kernel/random # ls -laZ
  total 0
  dr-xr-xr-x 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 .
  dr-xr-xr-x 1 root root u:object_r:proc:s0        0 2017-11-20 18:32 ..
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 boot_id
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 entropy_avail
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 poolsize
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 read_wakeup_threshold
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 urandom_min_reseed_secs
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 uuid
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 write_wakeup_threshold

boot_id (unique random number per boot) is commonly used by
applications, as is "uuid". As these are random numbers, no sensitive
data is leaked. The other files are useful to allow processes to
understand the state of the entropy pool, and should be fairly benign.

Addresses the following denial:

  type=1400 audit(0.0:207): avc: denied { read } for name="boot_id"
  dev="proc" ino=76194 scontext=u:r:untrusted_app_25:s0:c512,c768
  tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 69294418
Test: policy compiles.
Change-Id: Ieeca1c654ec755123e19b4693555990325bd58cf

am: 497e7aeb

Change-Id: I85c0ecaeabf37362b84497055db441aa64c92eb0

am: d4785c37

Change-Id: I41603590882cb4d70cb1636af5902edad1af0118

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

am: 21ce3450

Change-Id: Ic4cabef801675f28f6fe81c6034cff377ec59791

am: 0f5ad4e5

Change-Id: Idcf4b52877a51c2c330a72ba416076c686e29535

Exclude vendor processes.

Bug: 69309298
Test: cts-tradefed run cts -m CtsCompilationTestCases
    completed in 33s. 5 passed, 0 failed
Test: runtest frameworks-services -c \
    com.android.server.pm.dex.DexoptOptionsTests \
    --install=".*FrameworksServicesTests.apk"
    OK (5 tests)

Change-Id: Ic02caf373e2214b4b931a724ca8d4f4effbc0741

am: 51251212

Change-Id: Ie3194b1314cef76240ff518ac2b86e094b9baa81

am: 6faa3a1a

Change-Id: Ica1a165a67f4db803e69757009a14145bb17c5b9

am: a6966554

Change-Id: I8c09069290ffe1827212206b81616e9302bfe7ea

am: cd753d11

Change-Id: I01a332c51aa4a5c62e5b2bb4ba13565b48c46b88

am: dcd0baf6

Change-Id: I07782169b7a9b4ad05d8915e43599c0ae158fb2b

am: 97c86514

Change-Id: I170162843b04280105c76d4e5d7a8d3f89583588

Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153

am: 92652912

Change-Id: Id419994de8b6ca9dc29e0cb3a3c0d05cd07b982a

am: 499fd010

Change-Id: Ifdf2102a4305b3aa51607e78a1c6ce529b45d382

am: 1bd4443a

Change-Id: Ia72d55f0a38fb9415166d5cf03cd67b2e9e2162c