Test: App startup on boot
Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102

Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5

Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Change-Id: I37695d6c952b313e641dd145aa1af1d02e9cc537

This fixes failing vts drm tests

bug:67675811

Test:vts-tradefed run commandAndExit vts -m VtsHalDrmV1_0Target
Change-Id: I2f7e1c97e8c70fc312ca3c2c901f0a9607b05e83

Test: Boot the device
Change-Id: Ia468941e78803edebe311c73f424a41ac1faeaee

Test: VTS
Bug: 69958777
Change-Id: I6db7dd9afc9c7f254a0233ff3144b02e48727038

Test: build
Bug: 63710530
Change-Id: I85cddfaf3ec004165040935f8723e9eed0ef7900

In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

Only getattr and read are necessary for lnk_file. Open violates a new
neverallow for separating system and vendor data.

Bug: 34980020
Test: Enroll fingerprint on Taimen
Change-Id: I9434afbd5b4ecc1ead9f0ba47c7582fb5a6c6bf0

This denial affects marlin as well

Test: The associated denials are properly tagged with this bug
Change-Id: Ie90f1ac8c9a930465d8b806d77c2975c5f046403

bug: 67029332
testing:
- build
- boot
- CTS MediaCasTest on Pixel2

Change-Id: I019e0156c67c84875310d630f8a8bec7aaa483a6

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
Merged-In: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9

Bug: 62945293
Test: instrumentation, VTS
Change-Id: I7e896b64bf0ee907af21d08f6b78561fadc7f0e3

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)

Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9

Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Merged-In: I2068f6f4a8ac15da40126892e1326e0b90a6576f

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e

Add sepolicy for thermalserviced daemon, IThermalService binder
service, IThermalCallback hwservice, and Thermal HAL revision 1.1.

Test: manual: marlin with modified thermal-engine.conf
Bug: 30982366
Change-Id: I207fa0f922a4e658338af91dea28c497781e8fe9
(cherry picked from commit ec3b6b7e)

avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21

This reverts commit 57e9946f.

Bug: 62616897
Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
    not break.

Signed-off-by: Sandeep Patil <sspatil@google.com>

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e

modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit 9e366a0e)

modprobe domain was allowed to launch vendor toolbox even if its a
coredomain. That violates the treble separation. Fix that by creating a
separate 'vendor_modprobe' domain that init is allowed to transition to
through vendor_toolbox.

Bug: 37008075
Test: Build and boot sailfish

Change-Id: Ic3331797691bb5d1fdc05a674aa4aa313e1f86b2
Signed-off-by: Sandeep Patil <sspatil@google.com>

Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf5

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58

Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80

Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5

Test: compiles
Bug: 37640900
Change-Id: Ia9960af9da880fd130b5fb211a054689e2353f1d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

This is a follow-up to cbc0d2bb which
introduced the typos.

Test: mmm system/sepolicy -- comments only change
Bug: 37640821
Change-Id: Ibe0eda0b3ee9bbfb1e33ef98f2e81267ec580e59

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640821
Change-Id: I28c27b369268e75ab6b2d27bcb30b88acb2732e6

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31