Split mac_permissions.xml into plat and non-plat components. am: 90b3b948 am: e33de6a8 am: 905c8133
am: 80549022

Change-Id: I5e3fb9e3967ceefbb152c0a7d65235b7052e4ac7

am: 905c8133

Change-Id: I4a14309f90c98802b3db03e2a2fabe48fde7c5b0

am: e33de6a8

Change-Id: Icae7ddef1df97f469317438f63dd3613a87f5545

am: 90b3b948

Change-Id: Iee71ed7dd1edaa4507203708d4566e342b03e76c

Merge "Enforce assumptions around metadata_block_device" am: 62f0b8ea am: 320e821e am: c6bcdbdf
am: fb4f3617

Change-Id: I357f9d599e48bc9822b38fe092b7c3df20de279f

am: c6bcdbdf

Change-Id: Ic7045b9dbb99cda3edb30f47ed9ecdbf542da92e

am: 320e821e

Change-Id: I0bbb2bcc523e079650753f577f68b983b7086a39

am: 62f0b8ea

Change-Id: I5c0d607d92f7ba76e113f4c5aaf746e48ddd2718

Bug: 31363362
Test: Bullhead and Sailfish both build and boot w/out new denials.
Change-Id: If6a451ddaab8c9b78a618c49b116a7ed766d0710

am: 42899fbb  -s ours

Change-Id: I6f681385d2f0a02b6717826f0b91ef28319a2a95

am: c4ee4ca6

Change-Id: Ic57956bc6f897ea24584702a32bab52432e2d010

am: 5529f036

Change-Id: Ib9812cb072ad33e974dfb625fdaf421be01fea42

am: 5b8d87b2

Change-Id: I7e28e34027887dde44d2c160891117596133700d

Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6

am: 737cb669

Change-Id: Iea952798d3bec8660e7e6fd8785429bd2927c6c6

am: 88cd6584

Change-Id: Ibcc99353773b54744979c23e72e06abc5a9ef356

am: a2d4d11a

Change-Id: Ic7404b51c2f2e527b8c68d6d0aa01401312dde9b

am: 27eb6492

Change-Id: Ifbea25c85e2eae67f0da3a9dfd19a1e6bb873c80

am: cea7171f

Change-Id: I54073aa11166a38b6d280e894ebbd459954ddedf

am: 7a2107c1

Change-Id: I8ce6d21c0df0002fd0f0f62da3aafd9652a39f24

Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d

Merge "Allow binder IPC between ephemeral app and appdomain" am: 0046853f am: 377e50d7 am: 393b96e3
am: 8bc6e51d

Change-Id: Iae7161bf31afd0b12aceb6b7a20427edf9568da0

am: 3b7df33e

Change-Id: Ifdae9d93e1926c330120440dcebefce5b0829243

am: 393b96e3

Change-Id: Ib556294ff0b0a64db1088c5e790a3eec6dd4f58a

am: 377e50d7

Change-Id: I405de2d676bf01053bf1e36049edd348675d183a

am: 0046853f

Change-Id: Ib21c9b4dad410270ef280786a7eca0db21069e88

am: 1b0ec79f

Change-Id: Ib4d85189639a4ef7228f9b8dd639b6a2eb59ea39

am: 18f61a0f

Change-Id: I05a0657ab76f1143f0fd808de7948bfc2e7b21f8

am: bb9a3888

Change-Id: I6f9175baa166d7f8b887b12fbc6266e602f24173

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

(cherry picked from commit d310df20)

Test: policy compiles
Bug: 33620117
Change-Id: I61d18c126bca722002f41a5cc4728318878f46c6

Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702

Revert "Merge "Do not allow new additions to core_property_type" am: d57dd813 am: f13dcbb4 am: 5bfa8509 am: 47e2f081"

This reverts commit 635d206b.

Change-Id: I1f937794162b563a24bbc4f4c83a24be93812a54

Merge "Do not allow new additions to core_property_type" am: d57dd813 am: f13dcbb4 am: 5bfa8509
am: 47e2f081

Change-Id: I24705f584bc462f45c4400eab18decdbfa66dfda

am: 5bfa8509

Change-Id: Idb6a5e42bff4bab0781db7bad1a497e9b2c169e5