recovery exec /system/bin/{mke2fs,e2fsdroid} to format userdata

Bug: 35219933
Change-Id: I77e75c2dc55d4bea7984707f27bc215de186c4d1

Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e

Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762

One of my previous commits removed this, so I am now restoring it.

This commit also contains a bit of cleanup from previous commits by
removing some unneeded types.

It also fixes traceur by porting ag/2409144 to master.

Bug: 62413700, 62547086
Test: Built, flashed, and booted Marlin.  Verified that the files have
the correct context.  Verified that atrace and traceur work.

Change-Id: I76fa0e9060aff554687d57ab3976c8704a4068f0

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3

This violates the socket comms ban between coredomain (radio) and
non coredomain (rild) in the platform policy.

Bug: 62616897
Bug: 62343727

Test: Build and boot sailfish

Change-Id: I48303bbd8b6eb62c120a551d0f584b9733fc2d43
Signed-off-by: Sandeep Patil <sspatil@google.com>

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: I47b4e79260bcd2967d85d8151c83e624d432f409

This reverts commit 527f64e6.

Change-Id: Ibc48af53431a8f7c7211999dcb571f492fb5ddb4

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: Ia57dbbc3987d8858c932103c4e546cbb88893207

This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275

This reverts commit 50889ce0.

Bug: 62427402
Test: Build and boot.
Change-Id: I32eae7997c901981d3228b61f33322a7c2c84301

This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e

This broke the build on master. See b/17613910#comment17
for details.

This reverts commit ef1fd98b.

Change-Id: I11f7d463061a9b6340c11827135586266e26f016

This is used to persist RFC 7217 stable secrets across device reboots.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054

This reverts commit c147b592.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005

This reverts commit c00c07c1.

Change-Id: I0c4f5e8cece9c48672a5210adb7e8427e4fd427a

This should improve performance, as file_contexts is slower than
genfs_contexts.

Bug: 62413700
Test: Built, flashed, and booted Marlin.  Verified that some of the
files have the correct context.
Change-Id: Ia28707ec565a0792bc882fbffe9e8ab9968535f5

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b

This is to Allow commands like `adb shell run-as ...`.

Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2

It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Merged-In: I0f25682177115aacd5c2203ddc0008228b0380ad
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad
(cherry picked from commit 7aa08523)

It appears that selinux requires the write permission to receive
a writable pipe from dumpstate, for unclear reasons. Add the permission
for now.

Bug: http://b/62297059
Test: dumpstate
Change-Id: I0f25682177115aacd5c2203ddc0008228b0380ad

modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e)

modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: http://b/62297059
Test: mma
Merged-In: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc
(cherry picked from commit 17885f14)

Bug: http://b/62297059
Test: mma
Change-Id: Ibcd93e5554a9c2dd75fbfb42294fbc9b96ebc8cc

This reverts commit c147b592.

The new domain changed neverallows, breaking CTS compatability.
Revert the domain now, with the intention to re-add for the next
release.

Bug: 62102757
Test: domain is set to priv_app
Change-Id: I907ff7c513cd642a306e3eaed3937352ced90005

Modprobe requires this permission or the following denial will
prevent loading of signed kernel modules:

audit: type=1400 audit(27331649.656:4): avc:  denied  { search } for
pid=448 comm="modprobe" scontext=u:r:modprobe:s0 tcontext=u:r:kernel:s0
tclass=key permissive=0

Bug: 62256697
Test: Verified signed module loading on sailfish.
Change-Id: Idde41d1ab58e760398190d6686665a252f1823bb

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Merged-In: I29c4509304978afb2187fe2e7f401144c6c3b4c6
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

Add policy changes to enable a new service. The service
is currently switched off in config, but this change is
needed before it could be enabled.

Bug: 31008728
Test: make droid
Change-Id: I29c4509304978afb2187fe2e7f401144c6c3b4c6

This is sometimes used for communication with the bootloader.

Bug: 62052545
Test: Build
Change-Id: I3ae37793407719e55ab0830129aa569c9018f7da

Bug: 38232801
Test: Build

Change-Id: Iccc16430e7502bb317f95bb2a5e2f021d8239a00

Bug: 38233550
Test: Build
Change-Id: I7c2105d5f215a60a611110640afff25fc3403559

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

(cherry picked from commit 11bfcc1e)

Change-Id: Icc60d227331c8eee70a9389ff1e7e78772f37e6f

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

Merged-In: I70a3e6e230268d12b454e849fa88418082269c4f
Change-Id: Ib4b73fc130f4993c44d96c8d68f61b6d9bb2c7d5

Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f

This reverts commit a015186f.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46

Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792

Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.

This change cuts down on the number of attributes associate with
system_server from 19 to 8. The total number of attributes is
reduced from 159 to 64.

Bug: 36508258
Test: build and boot Marlin
Change-Id: I8cdb6fb783ded869e88c5a9868fd7c8f838190f9

vendor implementations need to be able to run modprobe as part of
init.rc scripts.  They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.

Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.

Bug: b/38212864
Test: Boot sailfish

Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>