Commit: 2490f1ad meant to add
thermalserviced_tmpfs to the new_object list in the mapping file,
but copy-paste error resulted in thermalserviced_exec_tmpfs being
recorded instead.  Fix this.

(cherry-pick of commit: fbacc656)

Bug: 62573845
Test: None. prebuilt change.
Change-Id: Iab4eaef04742187d6397a539aae854651caa9935

A new API [getNamesForUids] was recently added to the PackageManager
and this API needs to be accessible to native code. However, there
were two constraints:
1) Instead of hand-rolling the binder, we wanted to auto generate
the bindings directly from the AIDL compiler.
2) We didn't want to expose/annotate all 180+ PackageManager APIs
when only a single API is needed.
So, we chose to create a parallel API that can be used explicitly
for native bindings without exposing the entirety of the
PackageManager.

Bug: 62805090
Test: Manual
Test: Create a native application that calls into the new service
Test: See the call works and data and returned
Change-Id: I0d469854eeddfa1a4fd04b5c53b7a71ba3ab1f41

Commit: ec3b6b7e added a new daemon
and corresponding types to sepolicy.  The explicitly declared types
were added to 26.0.ignore.cil to reflect the labeling of new objects,
but another type, thermalserviced_tmpfs was created by macro and was
missed in code review.  Add it as well.

Bug: 62573845
Test: None. prebuilt change.
Change-Id: Ia8968448eea0be889911f46fe255f581659eb548
(cherry picked from commit 2490f1ad)

Add sepolicy for thermalserviced daemon, IThermalService binder
service, IThermalCallback hwservice, and Thermal HAL revision 1.1.

Test: manual: marlin with modified thermal-engine.conf
Bug: 30982366
Change-Id: I207fa0f922a4e658338af91dea28c497781e8fe9
(cherry picked from commit ec3b6b7e)

* changes:
  Fix CoredomainViolators typo and clean up test option parsing.
  Record hal_wifi_offload_hwservice type for compatibility.

am: 0393dafd

Change-Id: Ida00cdf24a809888233ede97a83d42ed5c1a8574

type=1400 audit(1501520483.066:14): avc: denied { write } for pid=3330
comm=4173796E635461736B202331 name="property_service" dev="tmpfs"
ino=10749 scontext=u:r:nfc:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Test: No sepolicy denials
Bug: 64010793
Change-Id: I8d73e8e19cd4d0a8c61f1f184820c53e5cc2b6d6
(cherry picked from commit df964950)

Test: Run test suite with no tests, CoredomainViolators, CoredomainViolations,
and multiple tests arguments specified.
Change-Id: Ibad30515b32eb4e1e83c8ab157c21ce4ab01365b

Commit: 5aef6a94 added a new type,
system_net_netd_hwservice, for a new hwservice.  Record this in the
compatibility infrastructure as labeling a new object, rather than
relabeling one from O.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: If360eb9e05684d9b47316d53e494aa773485e93f

Commit: 3eed3eac added the compatibility
statement for the new mediaprovider app domain, but it missed another
new, private type, mediaprovider_tmpfs, that is automatically created for
all appdomains.  It replaces priv_app_tmpfs, but since both types are
private, they do not need to be added to the actual mapping (vendor policy
cannot use it).

Bug: 62573845
Test: None.  Prebuilt-only change.
Change-Id: I62229a5be74cd928fe0ca82a45b73cb61d6f5223

Commit: 632bc494 added hwservice labeling
and was cherry-picked to oc-dev, but the hal_wifi_offload_hwservice type
was not part of the cherry-pick because the service was not in oc-dev.
Record the type for compatibility purposes.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: Ib2c0fe862eddb566fbe6b0287238fa93dddae7b8

am: 23b986ce

Change-Id: I1bc8e3375fce75763efb8ba369715146a33f106b

Bug: 37281396
Test: cts-tradefed run cts-dev -m CtsContentTestCases --test=android.content.pm.cts.InstallSessionTransferTest
Change-Id: If2094057d1acfbbf007ae108225decd9ad70e459

This hidl service provides functionality for oem networking
configuration to vendor services which is required by
at least some vendor radio modules.

Test: VtsHalNetNetdV1_0TargetTest, netd_integration_test, netd_unit_test
Test: no denials
Bug: 36682246
Change-Id: I86ac9082166b406b2fc814972375ba737460ad7b

avc: denied { read } for pid=1704 comm="top" name="stat" dev="proc" ino=4026532297 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_stat:s0 tclass=file permissive=0
avc: denied { read } for pid=1636 comm="dumpstate" name="lcd-backlight" dev="sysfs" ino=16592 scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=lnk_file permissive=0
avc: denied { call } for pid=2230 comm="dumpsys" scontext=u:r:dumpstate:s0 tcontext=u:r:installd:s0 tclass=binder permissive=0
avc: denied { create } for pid=1700 comm="ip" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_xfrm_socket permissive=0

Bug: 62410287
Bug: 35350306
Change-Id: I65be3678c64214ebeb544e0e155bce88b21adf02
Signed-off-by: Tim Kryger <tkryger@google.com>
(cherry picked from commit b7e1f2dd)

am: 427a0c7b  -s ours

Change-Id: I2716725d186d6660b5a1390224fe5c06669d6485

am: faaf86bc

Change-Id: I546b7be93591d638ad82978aca5f4823e7b6ab93

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Merged-In: I8e558ea1add6c36b966ec1da204062ea82df3f3f
Change-Id: I063df6dded94d8b0f5214b2c94c4f46bdafb03d7

Relax neverallow rule restricting binder access to/from netd so that
netd can export hwbinder services to vendor components.

Continue to disallow app access to netd via binder.

Bug: 36682246
Test: build
Change-Id: I8e558ea1add6c36b966ec1da204062ea82df3f3f
(cherry picked from commit 07c650eb)

Addresses:
avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs pid=603
scontext=u:r:bootanim:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 64067152
Test: build
Change-Id: I0605ab8ba07a46a3dc6909307e6f0b2fde68a7ba

Bug: 63905942
Test: mm -j40
Change-Id: I354ee863475aedd2dc9d2b436a00bcd82931456f
(cherry picked from commit 4fc5fb5e521347d65dc921f8c1fb751c66f9a92c)

Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
(cherry picked from commit 3c9b9197)

runas: grant access to seapp_contexts files am: dcec3ee9  -s ours am: 0da855ab  -s ours am: 18e75e3a  -s ours
am: faf0504a  -s ours

Change-Id: I8da56e4bda1a86b9631b5936378ad44f4036fec2

am: 18e75e3a  -s ours

Change-Id: I22ef22f0146170e03a02b72f668e62067ad448af

am: 0da855ab  -s ours

Change-Id: Ib03ffbf671ea4e48eb3e1f6fb0045c2bc33570dc

am: dcec3ee9  -s ours

Change-Id: Id04fb68971510d089e4fcd53fa24b77a1e9cd760

To be replaced by commit 1e149967
seapp_context: explicitly label all seapp context files

Test: build policy
Change-Id: I8d30bd1d50b9e4a55f878c25d134907d4458cf59
Merged-In: I0f0e937e56721d458e250d48ce62f80e3694900f

am: 3e6d842d

Change-Id: I42d9ebc6231932c6e5289ad2e9e4301c256f0036

am: 89f215e6

Change-Id: I6126315b398b2f66a5a7d9c98a8d9630c01314a7

Fixes:
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
Warning!  Type or attribute hal_audio used in neverallow undefined in
policy being checked.

hal_audio_client is not used in neverallows and was mistakenly marked
as expandattribute false instead of hal_audio. Fix this.

Bug: 63809360
Test: build policy
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    No more:
    Warning!  Type or attribute hal_audio used in neverallow
    undefined in policy being checked.

Change-Id: Iedf1b80f669f95537ed201cbdbb0626e7e32be81

Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 am: 00d28684 am: 8926a408
am: d526583f

Change-Id: Id375d476c919186402451edd32b7c119a41d0e35