am: cea7171f

Change-Id: I54073aa11166a38b6d280e894ebbd459954ddedf

am: 7a2107c1

Change-Id: I8ce6d21c0df0002fd0f0f62da3aafd9652a39f24

am: 393b96e3

Change-Id: Ib556294ff0b0a64db1088c5e790a3eec6dd4f58a

am: 377e50d7

Change-Id: I405de2d676bf01053bf1e36049edd348675d183a

am: 0046853f

Change-Id: Ib21c9b4dad410270ef280786a7eca0db21069e88

am: 1b0ec79f

Change-Id: Ib4d85189639a4ef7228f9b8dd639b6a2eb59ea39

am: 18f61a0f

Change-Id: I05a0657ab76f1143f0fd808de7948bfc2e7b21f8

am: bb9a3888

Change-Id: I6f9175baa166d7f8b887b12fbc6266e602f24173

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d

Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702

am: 5bfa8509

Change-Id: Idb6a5e42bff4bab0781db7bad1a497e9b2c169e5

am: f13dcbb4

Change-Id: Ife8946bdd99b4121b6ad80a21c345d9ee0af1777

am: d57dd813

Change-Id: I5e911f7d301ba8421184b80f485e043178f225fb

am: 2d5426ae

Change-Id: Iae51b513b88597b8837c869e93c67a58f52db2b1

am: 37f17c5b

Change-Id: I9f2147b904b48cfc6f6f898056e8ae3acd6d7aea

am: 16c889c5

Change-Id: Icfa43cb11246de34f6f8f3c96726bec67680c5ff

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2

am: 5f50fd90

Change-Id: I643d05381fd866f43717dc37b55ad5beb589a2bc

am: 7724c229

Change-Id: I6e4ad94ec694f96c4685f33be090ce479a87b0fd

There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.

Bug: 26901147

Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec

am: a95c52e3

Change-Id: Ibf4f702d4b7d1f86baa7550b8b76bb3b30aa81ca

am: c00252cd

Change-Id: I8d9e6337a1ec2a961a2694ad45ebde0c8b828123

Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>

am: c94b1491

Change-Id: I4b127cc0ba7190d1d036c8e9f6cfefbc3ab8afc4

am: 1282df7c

Change-Id: I6f2fd95e1eeae204eed2c81a9b73bfe59ebe1cb7

Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579

am: 2bb33d81

Change-Id: I418745d1eb9f855a727dab2873a7aa2e52b7e3dd

am: a018b183

Change-Id: I34dfe5ee2a0e320276b69bc2ac407c46954e6237

am: 52da39d9

Change-Id: I7ebc5532d1047726472d9078ceba0fd755130593

The new domain wasn't fully tested, and it caused many regressions
on the daily build.  Revert back to using "priv_app" domain until we
can fully test and re-land the new domain.

Temporarily add the USB functionfs capabilities to priv_app domain
to keep remainder of MtpService changes working; 33574909 is tracking
removing that from the priv_app domain.

Test: builds, boots, verified UI and downloads
Bug: 33569176, 33568261, 33574909
Change-Id: I1bd0561d52870df0fe488e59ae8307b89978a9cb

am: 5dacc9cb

Change-Id: I8bb9ef7f143f408a55c26ca5ba1d3699af49f3f7

am: e2cebbee

Change-Id: I0edbcbf847ea08466a4e8bc0c3fb23c88c991e5e

am: 3a78d30b

Change-Id: Ie058e8370da10aa8124b6e2017a23a8f18804f80

am: 7bd89fbc

Change-Id: I57c4e27a7df0a9da8056f03d410952b0c54402a1

am: 84b299d2

Change-Id: I9f7a7c57926eb6f51ace0da458a0ac8d9316e9b2

am: 7f1b8ad8

Change-Id: I651a93f9363fbe73d47912fcb6c856f76bae5359

am: 0a807828

Change-Id: I77fd598970f1f4ab8c5b469405b6d3140b1b8dfd