* changes:
  allow to load kernel modules from vendor partition
  SELinux changes for Treble Loadable Kernel Module

The kernel  modules under /vendor partition has been relabeled to vendor_file.
This CL allows for the modprobe to load modules labeled vendor_file.

Kernel modules are loaded in init.rc with following commands:
    exec u:r:modprobe:s0 -- /system/bin/modprobe -d /vendor/lib/modules MODULE

Bug: 35653245
Test: tested on sailfish
Change-Id: I2132ca4de01c5c60476dad8496e98266de5a1bb7

This reverts commit 97848f05.

Reason for revert: b/37218817

Change-Id: I3280be8873d60d66852b4f01f4af4eeaee6b5502

audioserver uses an always-passthrough Allocator HAL (ashmem / mapper)
whose .so is loaded from /system/lib64/hw.

Test: Modify hal_client_domain macro to not associate client of X HAL
      with hal_x attribute. Play Google Play Movies move -- no denials
      and AV playback works.
Bug: 37160141

Change-Id: I7b88b222aba5361a6c7f0f6bb89705503255a4b1

Test: mmm system/sepolicy -- no warnings
Bug: 3716915
Change-Id: I76886c2d09a70cbe6dc707dd0599217407bb63f7

Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303

Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>

This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae
(cherry picked from commit b638d949)

The concept of VNDK-stable set is gone because they no longer need to be
stable across several Android releases. Instead, they are just small set
of system libraries (other than Low-Level NDK) that can be used by
same-process HALs. They need to be stable only during an Android release
as other VNDK libraries. However, since they are eligible for double
loading, we still need to distinguish those libs from other VNDK
libraries. So we give them a name vndk-sp, which means VNDK designed for
same-process HALs.

Bug: 37139956
Test: booting successful with vndk-sp libs in /vendor/lib(64)?/vndk-sp
Change-Id: I892c4514deb3c6c8006e3659bed1ad3363420732

http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.

Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0

Add read rights for du.

Bug: 30832951
Test: m
Change-Id: I1186ff995684844e9c6092b5ae65c19172fefbbe

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b

CTS includes general_sepolicy.conf built from this project. CTS then
tests this file's neverallow rules against the policy of the device
under test. Prior to this commit, neverallow rules which must be
enforced only for Treble devices we not included into
general_sepolicy.conf. As a result, these rules were not enforced for
Treble devices.

This commit fixes the issue as follows. Because CTS includes only one
policy, the policy now contains also the rules which are only for
Treble devices. To enable CTS to distinguish rules needed for all
devices from rules needed only on Treble devices, the latter rules are
contained in sections delimited with BEGIN_TREBLE_ONLY and
END_TREBLE_ONLY comments.

This commit also removes the unnecessary sepolicy.general target. This
target is not used anywhere and is causing trouble because it is
verifying neverallows of the policy meant to be used by CTS. This
policy can no longer be verified with checkpolicy without
conditionally including or excluding Treble-only neverallows.

Test: mmm system/sepolicy
Test: Device boots -- no new denials
Bug: 37082262
Change-Id: I15172a7efd9374543ba521e17aead1bdda7451bf

We want to track temperature metrics during an OTA update.

denial message:
denied  { search } for  pid=349 comm="recovery" name="thermal"
dev="sysfs" ino=18029 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

denied  { read } for  pid=326 comm="recovery" name="temp"
dev="sysfs" ino=18479 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0

Bug: 36920500
Bug: 32518487
Test: temperature logs on angler
Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e
(cherry picked from commit 3da2f21f)

darwin's getopt() doesn't like putting arguments
in the wrong order.

Test: Mac/Linux builds
Change-Id: If632e9077c1b5714f91c5adaa04afb4963d9b0f5

We should give appdomain the access to the /vendor/framework directory
since the jar in the directory is not dexopt-ed.AFAIK, jars which are
not in the bootclasspath are not dexopt-ed by default.

Bug: b/37129319
Test: built and confirmed that embms.apk not crashed

Change-Id: Ic2b1eef472f2fba53e26403dde8ad9ede8105a03

* changes:
  Allow 'su' domain access to vndbinder.
  Modify checkfc to check (vnd|hw)service_manager_type.

Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.

Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.

Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a

Bug: 36562029
Test: m -j40 and CEC functionality works well
Change-Id: I5a693e65abdd5139a848d939149a475056cc41e8

For example, for listing vndbinder services
using 'adb shell service -v list'

Test: adb shell service -v list
Bug: 36987120
Change-Id: Ibf3050710720ae4c920bc4807c9a90ba43717f3b

added checkfc options 'l' and 'v' to verify hwservice_manager_type
and vndservice_manager_type on service context files, respectively.

The checkfc call to verify the new hwservice_contexts files will
be added together with hwservicemanager ACL CLs later.

Bug: 34454312
Bug: 36052864
Test: device boots, works
Change-Id: Ie3b56da30be47c95a6b05d1bc5e5805acb809783

* changes:
  sepolicy: fix comments around 'domain' access to search in /vendor
  sepolicy: remove redudant rule for symlinks in /vendor/app
  sepolicy: restrict access for /vendor/framework.
  sepolicy: restrict /vendor/overlay from most coredomains
  sepolicy: restrict /vendor/app from most coredomains

Some of the same process HAL labeling was missing from Marlin.
These are identified by tracking library dependencies.

Bug: 37084733
Test: Build and boot sailfish. The change allows the labelled libraries
      to be opened by any domain. So, the boot test is sufficient.

Change-Id: Id55e834d6863ca644f912efdd690fccb71d3eaf3
Signed-off-by: Sandeep Patil <sspatil@google.com>

Effectively removes TODOs and finalizes the initial solution to allow
all domains access to 'vendor_file'.

Bug: 36681074
Test: Build and boot sailfish (no policy changes in the CL)

Change-Id: I50c05e20175c5273b34901809d967dd3e48bdb0e
Signed-off-by: Sandeep Patil <sspatil@google.com>

All accesses to /vendor/app within platform include permissions to read
symlinks in the location. This rule is redundant now.

Bug: 36806861
Test: Boot sailfish and find no denials for 'vendor_app_file'

Change-Id: Ic17a67521cff6717d83b78bb4ad8e21e772f6d4f
Signed-off-by: Sandeep Patil <sspatil@google.com>

/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.

Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
      'vendor_framework_file'

Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>