type=1400 audit(0.0:6): avc: denied { read } for comm="Thread-5"
name="cache" dev="dm-0" ino=13 scontext=u:r:system_server:s0
tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0

Bug: 64067152
Bug: 65843095
Test: build
Change-Id: Ie90c0343a834aa87b7ded41f503e05d9b63b3244
(cherry picked from commit a4cada74)

Particularly useful for suppressing selinux logspam for debug-only
permissions.

Bug: 65843095
Test: build, boot, and run tests on user and userdebug builds.
Change-Id: I18ce0b2cf1e96ca037e93309dddb476a150b677f

It's used in CTS neverallow tests.

Addresses:
Warning!  Type or attribute hal_cas_server used in neverallow
undefined in policy being checked.

Bug: 66910049
Test: build
Change-Id: Ia185f266fc1e3cb87c39939fdd45d02efa6c2c94
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

These are no longer necessary as domain_deprecated has been
removed in AOSP master.

Bug: 66749762
Test: build
Merged-In: I99953ecc7d275fdbe8e56d8f47a27d1f9e1cc09a
Change-Id: I01878a4410f8cb3c97ff96c67845dfaa7b0051ce

Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9
Merged-In: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9

Addresses:
junit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule:
neverallow {   domain   -adbd   -dumpstate   -hal_drm -hal_cas -init
-mediadrmserver   -recovery   -shell   -system_server }
serialno_prop:file { getattr open read ioctl lock map };
Warning!  Type or attribute hal_cas used in neverallow undefined in
policy being checked.
libsepol.report_failure: neverallow violated by allow mediaextractor
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow mediacodec
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow hal_cas_default
serialno_prop:file { ioctl read getattr lock map open };
libsepol.check_assertions: 3 neverallow failures occurred

Bug: 65681219
Test: build
Change-Id: I2a6445d6372ee4e768cc2cea2140c6de97707a74
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

Allows groups to be mounted at /dev/memcg

Addresses:
avc: denied { associate } for comm="init" name="memcg"
scontext=u:object_r:cgroup:s0 tcontext=u:object_r:tmpfs:s0
tclass=filesystem permissive=0

Bug: 64067152
Test: build
Change-Id: Ic8f641e841fe09c8f7fd487ed67cf0ab4860a1cc

Currently lmkd is not able to read memcg info. The mem/swap usage
info are used by lmkd to ugrade medium pressure events to critical
level.

Test: tested on gobo
Bug: 65180281
Change-Id: I19d0eb53d5e754c176ffeda1b5d07049e6af8570

This reverts commit f27bba93.

Bug: 65206688

Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf

This reverts commit c12c7349.

Bug: 65206688

Change-Id: Ia2a04906f8585bf295b8c75e0b3d09490afb5d24

This reverts commit b5dd44b1.

Bug: 65206688

Change-Id: I00431ae7834a562e34e8959446d84a0077834091

screencap domain needs additional permissions for
dumpstate to dump screenshots.

Test: adb shell cmd activity bug-report
Bug: 65206688
Change-Id: I824f345fd90d286454d570576c5888d7719c4c5c

relax the sepolicy for media.metrics to allow access to
package manager for uid->packagename mapping functionality.

Bug: 65027506
Test: read output of 'dumpsys media.metrics'
Change-Id: I0d25af16c06dc65154cfda854e28ab70ada097c4

Before screencap was in its own domain, it was able to do
this by using all of shell's permissions.

The following denials are caused (along with times from running the below test command)
when screencap is invoked to write a file onto the sdcard:
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:23): avc: denied { read } for name="primary" dev="tmpfs" ino=19547 scontext=u:r:screencap:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:24): avc: denied { search } for name="/" dev="tmpfs" ino=19529 scontext=u:r:screencap:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:25): avc: denied { search } for name="user" dev="tmpfs" ino=19535 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:26): avc: denied { read } for name="primary" dev="tmpfs" ino=31198 scontext=u:r:screencap:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=lnk_file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:27): avc: denied { search } for name="/" dev="sdcardfs" ino=1310722 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:28): avc: denied { write } for name="image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:29): avc: denied { open } for path="/storage/emulated/0/image.png" dev="sdcardfs" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
08-30 21:03:32.009  4986  4986 I screencap: type=1400 audit(0.0:30): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:31): avc: denied { execute } for name="sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:32): avc: denied { read open } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I screencap: type=1400 audit(0.0:33): avc: denied { execute_no_trans } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.582  4990  4990 I sh      : type=1400 audit(0.0:34): avc: denied { getattr } for path="/system/bin/sh" dev="dm-0" ino=998 scontext=u:r:screencap:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
08-30 21:03:32.586  4990  4990 I sh      : type=1400 audit(0.0:35): avc: denied { ioctl } for path="socket:[57515]" dev="sockfs" ino=57515 ioctlcmd=5401 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.586  4990  4990 I sh      : type=1400 audit(0.0:36): avc: denied { getattr } for path="socket:[57515]" dev="sockfs" ino=57515 scontext=u:r:screencap:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=1
08-30 21:03:32.589  4991  4991 I sh      : type=1400 audit(0.0:37): avc: denied { execute_no_trans } for path="/system/bin/am" dev="dm-0" ino=1178 scontext=u:r:screencap:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:38): avc: denied { call } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:39): avc: denied { use } for path="/dev/null" dev="tmpfs" ino=19514 scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=fd permissive=1
08-30 21:03:32.739  4992  4992 I cmd     : type=1400 audit(0.0:40): avc: denied { transfer } for scontext=u:r:screencap:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
08-30 21:03:32.741   575   575 E SELinux : avc:  denied  { find } for service=activity pid=4992 uid=2000 scontext=u:r:screencap:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
08-30 21:03:32.749   837   837 I Binder:837_9: type=1400 audit(0.0:41): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:screencap:s0 tclass=binder permissive=1

If /data/media/ is deleted, the following denials also occur:
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:43): avc: denied { search } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:44): avc: denied { read open } for path="/data/media/0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:48): avc: denied { write } for name="0" dev="sda45" ino=1310728 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:49): avc: denied { add_name } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:50): avc: denied { create } for name="image.png" scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:51): avc: denied { setattr } for name="image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 00:45:45.966  8899  8899 I screencap: type=1400 audit(0.0:53): avc: denied { write open } for path="/data/media/0/image.png" dev="sda45" ino=1310764 scontext=u:r:screencap:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
08-31 01:04:29.741  6625  6625 W screencap: type=1400 audit(0.0:23): avc: denied { write } for name="0" dev="sdcardfs" ino=655364 scontext=u:r:screencap:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0

Test: adb shell screencap -p /sdcard/phone.png
Bug: 65206688
Change-Id: I808429b25fa3118fef7931050ab757c9bcd61881

This is needed to retain app's previous access to
/sys/devices/system/cpu. When these files were previously
labeled in file_contexts, symlinks were labeled as
sysfs_devices_system_cpu. When labeling was moved to genfs_contexts
symlinks all have the default sysfs label.

avc: denied { getattr } for comm="main"
path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589
Bug: 64270911
Test: build aosp_marlin
(cherry picked from commit 8d021a94)

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e

Commit 780a71e7 changed ueventd's selinux label lookup from /dev/input/
to /dev/input which no longer matches the regex in core policy
file_contexts. Fix the regex to match /dev/input and /dev/input/.

avc: denied { read } for name="input" dev="tmpfs" ino=14092
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=dir
avc: denied { open } for path="/dev/input" dev="tmpfs"
ino=14092 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=dir

Change-Id: I8f42f5cd96fc8353bf21d3ee6c3de9e2872f229f
Fixes: 64997761
Fixes: 64954704
Test: no camera HAL denials

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/



Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717

Configstore HAL uses a seccomp filter which blocks the standard
path of execing crash_dump to collect crash data. Add permission
to use crash_dump's fallback mechanism.

Allowing configstore to write to the socket provided by tombstoned
required either exempting configstore from a neverallow rule, or
removing the neverallow rule entirely. Since the neverallow rule
could potentially prevent partners for doing security hardening,
it has been removed.

Bug: 64768925
Bug: 36453956

Test: killall -ABRT android.hardware.configstore@1.1-service
    Results in a call stack in logcat, and tombstone in
    /data/tombstones
Test: configstore runs without crashing
Test: SANITIZE_TARGET="address coverage" make vts -j64
    vts-tradefedrun commandAndExit vts --skip-all-system-status-check \
    -primary-abi-only --skip-preconditions -l VERBOSE --module \
    VtsHalConfigstoreV1_0IfaceFuzzer

Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6
(cherry picked from commit 9924d782)

Bug: 64982450
Test: manual
Change-Id: Ic5d25b8a12271e5bfa71e30843a36fb643b914ff

* changes:
  DO NOT MERGE: use 'expandattribute' for untrusted_app_visible_hwservice
  DO NOT MERGE: Add a way to allow untrusted_apps to talk to halserver domains
  DO NOT MERGE: Revert "Revert "Remove neverallow preventing hwservice access for apps.""

Bug: 62658302
Test: Boot device and observe no new denials

Change-Id: If9a21610897b14a419f276289818127412c29c55
Signed-off-by: Sandeep Patil <sspatil@google.com>

Vendor HAL extentsions are currently allowed to discover hardware
services that are labelled with 'untrusted_app_visible_hwservice'.
However, the policy doesn't allow these apps to talk to these services.
This CL makes sure that is now possible via the
'untrusted_app_visible_halserver' attribute for vendor domains that host
such a service.

Bug: 64382381
Test: Boot device and observe no new denials.

Change-Id: I1ffc1a62bdf7506a311f5a19acdab8c7caec902b
Signed-off-by: Sandeep Patil <sspatil@google.com>

Performanced needs to talk to the permission service to verify
permissions of clients to access certain restricted scheduler
policies.

Bug: 64337476
Test: performance_service_tests passes; logs do not contain avc
      denials for performanced -> permission service.

Change-Id: I31618ab1d3e79c3c10138d567b0f5606527020f9