am: ccbf463a

Change-Id: I018d3fc1f782b6d689c4231e5a2a350ea97a11cd

am: 262edc38

Change-Id: If843833a2fb22b92949b47a33bbd88777f4a54e5

am: 7ae1d237

Change-Id: Ic4a3c4df6966182cd133e4ba3f3dd89b8da84bfe

Previously we published appfuse mount points to apps and apps open
appfuse file by themselves. We changed the design and we don't allow
apps to access appfuse mount point. Instead system server opens a file
on appfuse mount points and passes FD to apps.

The change updates apps and system server policies to adopt new design.

Bug: 29970149
Test: None
Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca

am: 828433c8

Change-Id: I60de6b63d1029afa3546f1f45dc5fedf45e188e4

New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.

avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048

am: fa120106

Change-Id: Ie16d45133ca244b408098b11f23fa64d8d6a3fd2

Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: a058b569

Change-Id: If71062f721f57462d6238248e77b6189669847ab

This improves readability and consistency for HAL implementation
domains which have only one implementation.

Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386

Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: f41d89eb

Change-Id: I8f32e2e80fc7bfc08ce9fe3655968a8d7dfc94e8

This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6

am: ddb52d82

Change-Id: I724ff53a9709d53c02091838166092b5264eb23e

This is to ensure that hal_audio can access memory shared by
audioserver.

Bug: 34261005
Change-Id: I84103b0d4692fd10afc56846fb116fec6a7b3dc7

am: 597a8a49

Change-Id: I1a055e9dea9317b719ba6bb467679f2e51818755

am: 14658c93

Change-Id: I8a5ac00a41c1b66c8339b9a79d48c87af00800eb

Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6

am: 953c4396

Change-Id: Ia67c8271cfd6641a117415d439ce1c75b63e2580

The following are the avc denials that are addressed:

avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0

avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0

avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug:31974439

Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.

Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5

am: 9e7a5b0a

Change-Id: Ice41f3c804a4dd0aad058e39a2a8a0bcff80eb5a

It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb

am: 926dc331

Change-Id: I0ea98702d907e04d0fe1f3af242e0ec4a0712582

Test: run a gtest in /data/nativetest/ with no permission denial
Change-Id: Id644ed7dbea59becaf84b6073c9144711ad07c10

am: d5db9de5

Change-Id: I47d4498737a339c3cc05296db19a79a591dbe0eb

am: 1b7512a1

Change-Id: I713efb431275bfc4307b43f35dbb44965ccc0a84

Bug: 34231014
Test: Boot angler to ensure no additional denials are reported.

Change-Id: Ic2372d55f7072c65e7ea17036a8eb40dc531d60e
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: http://b/34228376
Test: m
Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683

am: 6730ee33

Change-Id: I02a0b5aa155e83eb200fbee0abfffe35bc8dedac

Test: builds
Bug: 32206268
Change-Id: I236105b029178f96da519c2295c66c686dcae7cb

am: fc0dc89d

Change-Id: Iabaad465fedc3b7d0cd2181bc379341a6e092b65

Bug: 31972505
Test: VTS test passes, Bluetooth starts/stops
Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08

am: dd70dfbe

Change-Id: I9bfb72a61bdd1eba21a1c4fb739a051330e6906e