Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Fixes: 65263013
Test: build
Merged-In: I0ec412481c5990927fcbee7c4303bee2da876210
Change-Id: I0a5b9a80e988fcd16a29807ed83b2c65bba9000f

Run-as is running a command under an app's uid and in its data
directory. That data directory may be accessed through a symlink
from /data/user. So give runas rights to read such a symlink.

Bug: 66292688
Test: manual
Test: CTS JVMTI tests
Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6

The following commits were cherry-picked from internal master to AOSP,
but to avoid merge-conflicts we'll do a large diff instead of individual
cherry-picks:
521742e9
9aefc916
3686efca
de51e7de
fff3fe2f

Bug: 37916906
Test: angler builds and boots.
Merged-In: Ie010cc12ae866dbb97c387471f433158d3b699f3
Change-Id: I5126ebe88b9c76a74690ecf95851d389cfc22d1f

Bug: 65643247
Test: device boots without denials from bootanim to sysfs and cgroup.
Change-Id: Icf8c45906cb83e1b0a60737d67ae584b9d1b34aa

Bug: 65643247
Test: device boots without denials from rild to proc.
Change-Id: I142a228347ef07266cb612e99c90fb5ec187988a

Bug: 65643247
Test: device boots without denials from bootstat to proc.
Change-Id: Ie31a0488239dbb1614fbcce07540d23afa805b0e

Bug: 65643247
Test: device boots without denials from bootanim to proc.
Change-Id: I0454a2bd4489d7816d82a299f5bc199d6a299ec0

Bug: 62945293
Test: instrumentation, VTS
Change-Id: I7e896b64bf0ee907af21d08f6b78561fadc7f0e3

Change-Id: I88e2887b0691ce3c5018578556abf7c420fe5a1b

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)

Add series of neverallow rules to restrict components from reading or
writing bootloader_boot_reason_prop, system_boot_reason_prop and
last_boot_reason_prop to trusted set of domains.

The policy is that bootloader_boot_reason_prop (ro.boot.bootreason)
has a compliance issue due to the sheer momentum of near unparseable
content as filed by the wide variety (8000 different devices at last
count) bootloaders and is only to be accessible to a series of
responsible system components.  It can be inaccurate as it provides
no means to evaluate a shutdown, likely reporting "cold" (from
initial power up) or the more generic "reboot".

The last_boot_reason_prop (persist.sys.boot.reason) contains
inaccurate information as it is only valid after a controlled reboot
or shutdown.  The value can linger around after less controlled
scenarios.  Since the information could be false, we do not want to
support it as an open API, so we again block access to only
responsible components.

The system_boot_reason_prop (sys.boot.reason) is a canonical boot
reason that takes into account parsing bootloader_boot_reason_prop,
boot_loader_boot_reason_prop and other system and HAL generated hints
to determine a parseable and most accurate reason for the last time
the system was rebooted.

For now the policy for system_boot_reason_prop is to audit users of
the API, and on a need to know basis via device additions to the
selinux rules.  If vendors need their components to access the boot
reason, they need to comply first with CTS tests and spirit with
regards to controlled reboot messaging and in turn read the
system_boot_reason_prop for the canonical information.  It will
contain validated content derived from bootloader_boot_reason_prop
in the scenarios that count.

The controlled reboot APIs include:
- android_reboot(ANDROID_RB_<TYPE>, int flag, const char* reason)
- PowerManagerService.lowLevelShutdown(String reason);
- PowerManagerService.lowLevelReboot(String reason);
- ShutdownThread.shutdown(context, String reason, boolean confirm);
- ShutdownThread.reboot(context, String reason, boolean confirm);
- PowerManager.shutdown(boolean confirm, String reason, boolean wait);
- PowerManager.reboot(String reason);

Any others (including the direct linux reboot syscall) create
problems for generating an accurate canonical boot reason.

Test: compile
Bug: 63736262
Bug: 65686279
Change-Id: I2e5e55bbea1c383c06472eb2989237cfeb852030

* changes:
  Allow sensor hal to use wakelock
  Allow sensor to use gralloc handle and access ion device

labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to
proc_kmsg, and added a compat mapping.

Bug: 65643247
Test: device boots without selinux denials to the newly introduced proc_kmsg
Test: logd-unit-tests passes

Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e
(partial CP of commit 528da6fe)

Added permission related to use of wake lock. Wakelock in sensor
HAL is used to gurantee delivery of wake up sensor events before
system go back to sleep.

Bug: 63995095
Test: QCOM and nanohub sensor hal are able to acquire wakelock
      successfuly.

Change-Id: Id4ac3552e18a1cad252017e3dc9ab3d4be8d4ab9

Allow sensor hal to sue gralloc handle and access ion device
so that sensor direct report feature can function correctly when
HardwareBuffer shared memory is used.

Test: SensorDirectReportTest passes without setenforce 0

Change-Id: I2068f6f4a8ac15da40126892e1326e0b90a6576f
Merged-In: I2068f6f4a8ac15da40126892e1326e0b90a6576f

Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: I379567772c73e52f532a24acf640c21f2bab5c5b
(cherry picked from commit 6d1ecdcb)

Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: If92352ea7a70780e9d81ab10963d63e16b793792
(cherry picked from commit 5f573ab2)

Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186f)
(cherry-pick of commit: 3458ec13)

Bug: 37916906
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I83aa392f49bb412d96534925fb02921a8f4731fa

(cherry-pick of commit: 55c77504)

Bug: 37916906
Bug: 37896931
Test: none, just prebuilt update.
Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d

More changes went into oc-dev after the freeze-date.  Reflect them.
(cherry-pick of commit: 148578a6)

Bug: 37916906
Bug: 37896931
Test: prebuilts - none.
Change-Id: I3300751ea7362d5d96b327138544be65eb9fc483

commit: 5c6a227e added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.
(cherry-pick of commit: 5e4e0d7f)

Bug: 37916906
Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f

Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.

(cherry-pick of commit: 5c6a227e)

Bug: 37896931
Bug: 37916906
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93

avc:  denied  { relabelto } for  pid=1 comm="init" name="misc" dev="tmpfs" ino=3855 scontext=u:r:init:s0 tcontext=u:object_r:misc_block_device:s0 tclass=lnk_file

If misc partition is used during early mount, it will carry a label of
tmpfs (instead of block_device), which will fail restorecon with the
above denial.

Bug: 65378733
Test: Build and flash a target that uses misc in early mount. No longer
      observe the above denial.
Change-Id: I44cd43dbd2a8a4f9f423ebc8ac0dd046b167ef72

On full Treble devices, servicemanager should only host services
served from processes on /system; nonplat_service_contexts
should not be created at all in this case.

Bug: 36866029
Test: Build marlin and make sure nonplat_service_contexts is not
      created.

Change-Id: Id02c314abbb98fc69884198779488c52231d22c3
Merged-In: Id02c314abbb98fc69884198779488c52231d22c3

This reverts commit 9216a6ad.

Bug: 65206688

Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf

Raw sockets usually imply advanced parsers that might
have flaws. If vold need such odd thing, force it to have
that in a other domain like filesystem checks. Debug
features like ptrace does not belong to vold.

Bug: 64791922
Test: Manual
Change-Id: I75c62d13f998621f80b2049bce0505442862bf0b

Hardening vold. Vold has much rights to system sensitive parts and
are started by init. Enforce this security.

Bug: 64791922
Test: Manual
Change-Id: I077d251d1eb7b7292e1a4a785093cb7bf5524a83