This is used for wificond to check if it is allowed to dump logs.

Bug: 31336376
Test: compile, manual test
Change-Id: I8a1b681255398f9a1f2cf79fd0891e58283aa747

Test: Test: make cts && \
      cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
      --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan
      Fails as expected.
Bug: 36002573

Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0

So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188

Bug: 36855921
Test: compile, wifi works with toggling
Change-Id: Ib0819a2d552472e482e192a69530441cfc2c0fd7

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

(cherry picked from commit cd97e710)

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

Bug: 33239267
Test: compile, run wifi, no selinux complaint for wificond
Change-Id: I9b3e874381ac6cd7c6ff1058cc4f313bd85481b8

Init is no longer calling vdc with logwrapper, so it must take care of
logging to kmsg directly.

avc: denied { write } for pid=367 comm="vdc" name="kmsg" dev="tmpfs" ino=11056 scontext=u:r:vdc:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Bug: 36278706
Test: observe vdc logging in kmsg on boot and stderr on normal usage

(cherry picked from commit bc4d3630)

Change-Id: Id7bc2fa87518aa0678c09495267c9e198ca8c968

Test: build, flash; adb shell lshal
Bug: 36562029
Change-Id: If8f6d8dbd99d31e6627fa4b7c1fd4faea3b75cf2

/data/misc/zoneinfo is provided by libc and is considered to be
VNDK stable. Grant read access to all domains and exempt from
neverallow rules asserting no vendor access to core data types.

Bug: 36730929
Test: Marlin Policy builds
Change-Id: I13766a661d6314f5393639fc20f1ab55d802f35f

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153

(cherry picked from commit cf2ffdf0)

Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e

VR HWC is being split out of VR Window Manager. It creates a HW binder
interface used by SurfaceFlinger which implements the HWComposer HAL and
a regular binder interface which will be used by a system app to receive
the SurfaceFlinger output.

Bug: b/36051907
Test: Ran in permissive mode and ensured no permission errors show in
logcat.

Change-Id: If1360bc8fa339a80100124c4e89e69c64b29d2ae

This removes access to
* contexthub_service
* device_policy_service
* ethernet_service
* fingerprint_service
* shortcut_service
* trust_service
* usb_service

Test: cts-tradefed run commandAndExit cts-dev -m
CtsAppSecurityHostTestCases -t
android.appsecurity.cts.EphemeralTest
Bug: 33349998

Change-Id: Iad9302041d7674ae6ebeb1c559c64d13df62c304

the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d

Runas/libselinux needs access to seapp_contexts_file to determine
transitions into app domains.

Addresses:
avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts"
dev="rootfs" ino=9827 scontext=u:r:runas:s0
tcontext=u:object_r:seapp_contexts_file:s0 tclass=file

Bug: 36782586
Test: Marlin policy builds
Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313

Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I949d62b3528cadb4bfe6f5985c25d1f497df0d5a

Moving the wpa_supplicant interaction from the binder keystore service
to the new wifi keystore HAL.

Denials addressed:
03-29 00:04:52.075   734   734 E SELinux : avc:  denied  { get } for
pid=638 uid=1010 scontext=u:r:hal_wifi_keystore_default:s0
tcontext=u:r:keystore:s0 tclass=keystore_key

Bug: 34603782
Test: Able to connect to wifi passpoint networks. Denials no longer
seen.
Change-Id: I97eb9a4aa9968056a2f1fcc7ce5509ceb62fd41e

As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895

We don't want to prevent access from vendor platform apps to system app
data. The issue with the referencing system_app explicitly in
neverallows is that vendor platform apps which need sandboxes similar to
system_app cannot be placed under system_app without modifying the
policy for all platform apps.

Test: mmm system/sepolicy
Change-Id: Ic0052602c31be4d74b02eeea129e2d8bfbd9c8d3

W Binder:538_2: type=1400 audit(0.0:9): avc: denied { getattr } for path="/data/media/0/Qtc88.mp4" dev="dm-0" ino=678654 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=0

W generic : type=1400 audit(0.0:9): avc: denied { read } for path="/data/media/0/Qtc88.mp4" dev="dm-0" ino=678654 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=0

Test: Photos, Play Music, Play Movies, Youtube
Bug: 29125703
Change-Id: If84ab43b934944abf4c416db751ab6694835df83

*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.

Bug: 36527360
Test: no new 'sepolicy_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19
Signed-off-by: Sandeep Patil <sspatil@google.com>

seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.

Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
          --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a --module CtsSecurityHostTestCases \
          -t android.security.cts.SELinuxHostTest#testAospServiceContexts

Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>

split property context file in vendor and sytem were left untouched by
the recent changes. This was working accidentally because they were
still accessible to all domains as 'system_file'.

Bug: 36002573
Test: Boot sailfish to observe no new denials.
Test: 'adb sideload' OTA on sailfish successfully

Change-Id: I5bec058b59db83d2a431e9f7e91c5a09af7d2942
Signed-off-by: Sandeep Patil <sspatil@google.com>

Unescaped apostrophe is not permitted inside macros.

Test: mmm system/sepolicy -- no warnings
Bug: 34980020
Change-Id: I893a41508d8b62975771967fd6e40e50d188c7c1

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197

In f5446eb1 I forgot to let violators
of "no Binder in vendor" rule keep their access to /dev/binder. This
commit fixes the issue.

Test: mmm system/sepolicy
Bug: 35870313
Bug: 36657020
Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae

On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003

This is a special file that can be mounted as a loopback device to
exercise adoptable storage code on devices that don't have valid
physical media.  For example, they may only support storage media
through a USB OTG port that is being used for an adb connection.

avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Bug: 34903607
Change-Id: I84721ec0e9495189a7d850461875df1839826212

Per loop(4), this device is the preferred way of allocating new
loop devices since Linux 3.1.

avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 34903607
Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503

This adds mediacodec to the list of temporary exemptions from the "no
Binder in vendor" rule.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I0f00d4bfb90d6da45ae2fed65864bb8fb0a4e78e

This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22

This fixes the following denial in O:

 update_engine: type=1400 audit(0.0:2100): avc: denied { sigkill } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=0

Bug: 35111618
Test: update_engine_client --cancel during postinstall
Change-Id: I7456a95b5ca6fbdb268a5e16a13e2409758141f5

Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2