This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:

1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
   in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
   net_stable_secret_vendor_prop) and applying it to
   persist.netd.stable_secret results in the device not booting
   due to attempting to apply two different contexts to the same
   property.

Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.

Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.

This reverts commit abb1ba65.

Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709

rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

(orginally commit: 82672089)

Bug: 36458146
Bug: 38241921
Test: Builds and boots.
Change-Id: I7d6e583f5e98b671986a2071abf157c86e288a10

CTS checks to make sure that the _contexts files on a device have
a superset of the AOSP entries.  This was removed due to concurrent
master and DR development.  Restore the entry to allow CTS to pass.

Bug: 38241921
Bug: 62348859
Test: Policy builds and is identical to oc-dev for prop ctxts.
Change-Id: I87ccbee7aadee57b8e46ede73280810362b618c0

This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275

This broke the build on master. See b/17613910#comment17
for details.

This reverts commit ef1fd98b.

Change-Id: I11f7d463061a9b6340c11827135586266e26f016

This is used to persist RFC 7217 stable secrets across device reboots.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054

rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address SANITIZE_TARGET_SYSTEM=true
Change-Id: Ic65a858962b4b3dd613fdbfa09f93d21425bf892

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b743050)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6

Test: works on internal marlin
Bug: 34274385
Change-Id: Idd35e5cdccb595b4e5994eb1d78fdeece0aec0a6

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

 - compared to ro.boottime, this one does not pass time info

bug: 35178781
bug: 34274385
Test: reboot

Change-Id: I6a7bf636a3f201653e2890751d5fa210274c9ede

Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.

Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:

  * system_server
  * system_app (apps which run as UID=system)
  * netmgrd
  * radio

This change:

1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.

In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.

Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38

- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa

This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472

ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.

Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c

This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d

This property is never used.

Test: policy compiles
Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a

Allow the system_server to change. Allow the zygote to read it as well.

Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Allow hwservicemanager to set properties starting with the prefix
"hwservicemanager."

b/31458381
b/31240290
Test: passing build and runtime tests

Change-Id: Id92e2170f52893bbf236987ee59383df2264952f
Signed-off-by: Iliyan Malchev <malchev@google.com>

Currently, we define 4 hardcoded init services to launch dumpstate with
different command-line options (since dumpstate must be launched by
root):

- bugreport
- bugreportplus
- bugreportwear
- bugreportremote

This approach does not scale well; a better option is to have just one
service, and let the framework pass the extra arguments through a system
property.

BUG: 31649719
Test: manual

Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5

(cherry picked from commit d3edd6b5)

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
(cherry picked from commit 1ebfdd6a)

(cherry-pick from commit 68d67a0f)

shell, system_app and logd access granted on debug builds only

Add logd.logpersistd as well

Bug: 28936216
Bug: 28788401
Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135

Bug: 28936216
Change-Id: I90dc7ca296dc5c9b6d13e7920ebb864981a112b5

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

shell, system_app and logd access granted on debug builds only

Bug: 28936216
Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135

Allow log.tag and persist.log.tag as log_tag_prop

Bug: 28942894
Change-Id: I05766b99b9535a79a39adc55cad004decd52956e

Also allow shell to set persist.log.tag.*

Bug: 28942894
Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b

(Cherry picked from commit 38ac77e4)

This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f

This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f

On eng and userdebug builds (only), allow system server
to change the value of log.tag.WifiHAL. WifiStateMachine
will set this property to 'D' by default. If/when a user
enables "Developer options -> Enable Wi-Fi Verbose Logging",
WifiStateMachine change log.tag.WifiHAL to 'V'.

BUG=27857554
TEST=manual (see below)

Test detail
1. on user build:
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   <blank line>
   $ adb bugreport | grep log.tag.WifiHAL
   <11>[  141.918517] init: avc:  denied  { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0
   <11>[  141.918566] init: sys_prop: permission denied uid:2000  name:log.tag.WifiHAL
2. on userdebug build:
   $ adb shell getprop log.tag.WifiHAL
   $ <blank line>
   $ adb shell setprop log.tag.WifiHAL V
   $ adb shell getprop log.tag.WifiHAL
   V
3. on userdebug build with modified WifiStateMachine:
   $ adb shell getprop log.tag.WifiHAL
   D

Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db

Restrict the ability of the shell to set the log.*
properties. Namely: only allow the shell to set
such properities on eng and userdebug builds.

The shell (and other domains) can continue to
read log.* properties on all builds.

While there: harmonize permissions for log.* and
persist.log.tag. Doing so introduces two changes:
- log.* is now writable from from |system_app|. This
  mirrors the behavior of persist.log.tag, which is
  writable to support "Developer options" ->
  "Logger buffer sizes" -> "Off".
  (Since this option is visible on user builds, the
  permission is enabled for all builds.)
- persist.log.tag can now be set from |shell| on
  userdebug_or_eng().

BUG=28221972
TEST=manual (see below)

Testing details
- user build (log.tag)
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag
  <blank line>
  $ adb bugreport | grep log.tag.foo
  [  146.525836] init: avc:  denied  { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0
  [  146.525878] init: sys_prop: permission denied uid:2000  name:log.tag.foo
- userdebug build (log.tag)
  $ adb shell getprop log.tag.foo
  <blank line>
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag.foo
  V
- user build (persist.log.tag)
  $ adb shell getprop | grep log.tag
  <no match>
  - Developer options -> Logger buffer sizes -> Off
  $ adb shell getprop | grep log.tag
  [persist.log.tag]: [Settings]
  [persist.log.tag.snet_event_log]: [I]

Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75

Bug: 28008032
Change-Id: I29e076ee9c62a0fb3b386f79509935a1961f95e1

Change-Id: I0c0bce9cd50a25897f5c4521ee9b4fada6648a59

Bug: 26902605
Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7
(cherry picked from commit 9c168711)

Bug: 26902605
Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7