Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Bug: 63669128
Test: Checked for avc denail messages.
Change-Id: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda
Merged-In: I057b3cf9ccc945cb943b9cf60fc9cd6c023eddda

We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c

As part of Treble, enforce that the communication between platform
and vendor components use the official hw binder APIs. Prevent sharing
of data by file path. Platform and vendor components may share
files, but only via FD passed over hw binder.

This change adds the violators attribute that will be used to mark
violating domains that need to be fixed.

Bug: 34980020
Test: build
Change-Id: Id9acfbbc86bfd6fd0633b8164a37ce94d25ffa2c

Addresses:
Warning!  Type or attribute hal_drm_server used in neverallow
undefined in policy being checked.

Bug: 67296580
Test: Build
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38
Change-Id: I07f9825536637a21a91c77e87366861503f6ebac

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

It's used in CTS neverallow tests.

Addresses:
Warning!  Type or attribute hal_cas_server used in neverallow
undefined in policy being checked.

Bug: 66910049
Test: build
Change-Id: Ia185f266fc1e3cb87c39939fdd45d02efa6c2c94
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

Addresses:
junit.framework.AssertionFailedError: The following errors were
encountered when validating the SELinuxneverallow rule:
neverallow {   domain   -adbd   -dumpstate   -hal_drm -hal_cas -init
-mediadrmserver   -recovery   -shell   -system_server }
serialno_prop:file { getattr open read ioctl lock map };
Warning!  Type or attribute hal_cas used in neverallow undefined in
policy being checked.
libsepol.report_failure: neverallow violated by allow mediaextractor
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow mediacodec
serialno_prop:file { ioctl read getattr lock map open };
libsepol.report_failure: neverallow violated by allow hal_cas_default
serialno_prop:file { ioctl read getattr lock map open };
libsepol.check_assertions: 3 neverallow failures occurred

Bug: 65681219
Test: build
Change-Id: I2a6445d6372ee4e768cc2cea2140c6de97707a74
Merged-In: I1092aff40da9dcf09bd044400bedd1f549eb7e38

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Test: after cherry-pick - it builds
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e
(cherry picked from commit 567b947d)

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e

Bug: 62658302
Test: Boot device and observe no new denials

Change-Id: If9a21610897b14a419f276289818127412c29c55
Signed-off-by: Sandeep Patil <sspatil@google.com>

Vendor HAL extentsions are currently allowed to discover hardware
services that are labelled with 'untrusted_app_visible_hwservice'.
However, the policy doesn't allow these apps to talk to these services.
This CL makes sure that is now possible via the
'untrusted_app_visible_halserver' attribute for vendor domains that host
such a service.

Bug: 64382381
Test: Boot device and observe no new denials.

Change-Id: I1ffc1a62bdf7506a311f5a19acdab8c7caec902b
Signed-off-by: Sandeep Patil <sspatil@google.com>

This reverts commit ceed7204.

New HALs services that are added in the policy while the CL was reverted
will are not made visible to applications by default. They are:
  hal_neuralnetworks_hwservice
  hal_wifi_offload_hwservice
  system_net_netd_hwservice
  thermalcallback_hwservice

Bug: 64578796
Test: Boot device

Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 63905942
Test: mm -j40
Change-Id: I354ee863475aedd2dc9d2b436a00bcd82931456f
(cherry picked from commit 4fc5fb5e521347d65dc921f8c1fb751c66f9a92c)

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82c)

Fixes:
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
Warning!  Type or attribute hal_audio used in neverallow undefined in
policy being checked.

hal_audio_client is not used in neverallows and was mistakenly marked
as expandattribute false instead of hal_audio. Fix this.

Bug: 63809360
Test: build policy
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    No more:
    Warning!  Type or attribute hal_audio used in neverallow
    undefined in policy being checked.

Change-Id: Iedf1b80f669f95537ed201cbdbb0626e7e32be81

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

This reverts commit 3e307a4d.

Test: Builds - neverallow change only.
Bug: 62806062
Change-Id: Id3aa1b425cf48fc8586890c9850a74594584922d

Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832

bug: 22804304

Change-Id: I7162905d698943d127aa52804396e4765498d028

This will be enforced by build-time and CTS tests.

Test: build policy
Change-Id: Ie852fa59670969a2352a97be357d37e420fb180e

This is dead code.

Test: compile sepolicy on marlin + grep
Change-Id: I852b9e8701140f1257510fb94676687e1e278991

Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.

This change cuts down on the number of attributes associate with
system_server from 19 to 8. The total number of attributes is
reduced from 159 to 64.

Bug: 36508258
Test: build and boot Marlin
Change-Id: I8cdb6fb783ded869e88c5a9868fd7c8f838190f9

Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
HIDL binderized service.

Bug: 38417260
Test: New functionality. So we don't have any tests.
Change-Id: I2c95b290523c55c081afa1bca091f368559c9125
(cherry picked from commit 722249b3)

Update SE Policy to allow calls to and callbacks for the Tether Offload HAL
HIDL binderized service.

Bug: 38417260
Test: New functionality. So we don't have any tests.
Change-Id: I2c95b290523c55c081afa1bca091f368559c9125

Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf5

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e

This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.

Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

Bug: 35628284
Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f
Fix: 38233550
Test: Build and boot
Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f

Bug: 34766843
Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6
Fix: 38232801
Test: Build and boot
Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b

Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.

Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish

Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
          --skip-device-info --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a

Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>

Test: mmm system/sepolicy
Bug: 34980020

(cherry picked from commit 3cc6a959)

Change-Id: I64c7275551e8e27d68072e8ec38c07b539989da0

Test: mmm system/sepolicy
Bug: 34980020
Change-Id: I36547658a844c58fcb21bb5a0244ab6f61291736

Bug: 35628284
Test: Boot and call HAL from system_server
Change-Id: I4cdacb601e0eea1f5f0e721c568c7ee04298704f