am: 327d7cb9

Change-Id: Ie9399516244e38f0c5f57205fe9f0da35aec8ba7

am: 35fd3212

Change-Id: I2f2fa16dc59bcd3f13ed9525a6f68bc87d26ab3b

Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.

The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.

Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c

am: 5684f61f

Change-Id: Ib0a65258afbe3828cd9d5e9921fc42893c729a5e

Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36

am: 47061e59

Change-Id: I924bfbc908321e321ca464adf8017bd3e212450f

am: a61f7f60

Change-Id: I5a0ff1b9233deb5ab7a6f4eb63498bbbefc169b3

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd

The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

Merged-In: I7b9cfd7f3c3509f3e41f0590ab650bd85faab340
(cherry-picked from commit 1103f963)

Change-Id: I6d69d463af7a0a93391dd4b7edd5b700012ba58c

am: 9d46f9b4

Change-Id: Id3bd7d69bd07fafdf76453e52de01b2b5bb67472

This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131

am: 9f152d98

Change-Id: I1c319ac3558e5ff96072638dc4be97502da61056

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

am: 5ab5cfba

Change-Id: I1fd254e6991d4d7f9afa6e36b26cc879c73fa6da

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
Change-Id: Ib4e89ba48cdc383318e5f3b7b15f542434e43564

am: e453801d

Change-Id: I1568b0c66ebd5932dbc5da353c40dbff02ceab26

am: f3b5bd64

Change-Id: I7515097dc3c410fdf3544d72d9d99be772f62d0c

Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.

Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
      that no audited (granted) avc messages for bluetooth exist in
      in the logs.

Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085

These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.

Addresses denial:

init    : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0

Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0

am: 20fe64e7

Change-Id: Id1d70b14a7035d18b5bb6ef9720fc0b5689bb722

am: f6eb2ad6

Change-Id: Ica844c95214cdf8b26a94e261f1f7a0ed734083c

am: d16d039f

Change-Id: I9778cef84531cfbbdead89be2bfaa48e4c067891

This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

Test: see that logging still works on bullhead

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502

am: 9a3a6a81

Change-Id: If95f7f3f75f213549a15cdab969073a25b9776c3

With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.

Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521

Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.

(cherry-pick of commit 6f14f6b7)

Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303

The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.

Make version_policy replace the '.' in version by '_' so secilc is
happy too.

This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.

(cherry-pick of commit 42f95984)

Bug: 35217573
Test: Build and boot sailfish.
      Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>

Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b

am: b7cb45f0

Change-Id: Ib1b8ae98f032e05a4053ef7184944033b2d1f9af

am: 462cf398

Change-Id: I12d310b90e6863a56c1fc269ce237e93864d88f8