am: d9301ac6

Change-Id: I4b272a59a7e48e1f0f15ddd1acb7e8f6b836ca40

am: 6351c374

Change-Id: I6e661aa37702c36e9003dcf41dbed4b754122c87

am: 317c4171

Change-Id: I418cc929f8e0a698220e0b8b1c51314ef9ea52a8

am: 044d2072

Change-Id: Ia6f8a806adae230df50f8d06edcf4ba9d2ae4352

am: 3e307a4d

Change-Id: Ic144d924948d7b8e73939806d761d27337dbebef

am: 3e307a4d

Change-Id: I90e567c8138fa75bf792af181890d0af627b6f48

The tetheroffload hal must be able to use network sockets as part of
its job.

Bug: 62870833
Test: neverallow-only change builds.
Change-Id: I630b36340796a5ecb5db08e732b0978dd82835c7

Same-process HALs are forbidden except for very specific HALs that have
been provided and whitelisted by AOSP.  As a result, a vendor extension
HAL may have a need to be accessed by untrusted_app.  This is still
discouraged, and the existing AOSP hwservices are still forbidden, but
remove the blanket prohibition.  Also indicate that this is temporary,
and that partners should expect to get exceptions to the rule into AOSP
in the future.

Bug: 62806062
Test: neverallow-only change builds.  Verify new attribute is in policy.
Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832

am: 492a53fe

Change-Id: Ic802fef5d53147e0ed2d2b588455ca8ad0843c4f

am: eb5542a1

Change-Id: I74cc45ee263121cece83ddb75133fbe2b0ff348d

am: 330d4477

Change-Id: Ice6c84f53d50b7fa987ea4e7259ecda4c64673aa

am: 330d4477

Change-Id: I6569c282114ceb09471d94cfa178535ab315c966

This is to Allow commands like `adb shell run-as ...`.

Bug: http://b/62358246
Test: run commands manually.
Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2
(cherry picked from commit 1847a38b)

am: ed88246c

Change-Id: Id7a784cbe65961f876f4d2d167303dcf7854ae21

am: 6e46ccdf

Change-Id: I5241333ec9099c7db3154cfcdb41003c65e235a0

am: 3b7d9e49

Change-Id: I5f12ae2d4c00efe648d1eecbe8a322de93e6447d

run-as uses file descriptor created by adbd when running
`adb shell -t run-as xxx`. It produces audit warnings like below:

[ 2036.555371] c1    509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd

Bug: http://b/62358246
Test: test manually that the warning disappears.
Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb

am: 0e6a3d87

Change-Id: I3af30f8f65918e273f634a9aa120c5cbeefd3a65

In libprocessgroup, we want to only send signals once to processes,
particularly for SIGTERM.  We must send the signal both to all
processes within a POSIX process group and a cgroup.  To ensure that
we do not duplicate the signals being sent, we check the processes in
the cgroup to see if they're in the POSIX process groups that we're
killing.  If they are, we skip sending a second signal.  This requires
getpgid permissions, hence this SELinux change.

avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1
avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1

Bug: 37853905
Bug: 62418791
Test: Boot, kill zygote, reboot
Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
(cherry picked from commit c59eb4d8)

am: 1468f85f

Change-Id: Idd803017a8087ac9e9221c0ca6ac5893391db6de

am: 29713c8d

Change-Id: I7089b62f8c54e24af47263325e085f092231f29d

am: 39c4f76b

Change-Id: I54b821fa20f428eaad1c8ab934a7e479664a6038

am: 58d0d1e4

Change-Id: I1a2207be3509ec5bc7797b906e15da16099190ad

am: 58d0d1e4

Change-Id: Ia53beb365c39d501c9d6cd53a4cb72dec14b610b

am: 2f2fd365

Change-Id: Ice4004ddb745f5936fc430f7ff44d1df3236687a

am: d4faa3ce

Change-Id: I1791a5758eae1907dc0f15c2eeba36a0ad6577ce

am: 6f94efaf

Change-Id: I1aceeeb61ca9e558dd32b3ef33e07b6a551387e6

am: b5aeaf6d

Change-Id: Ib0ac9cf10c7cb9fd2462e0036307e2552d19b93b

am: b5aeaf6d

Change-Id: Ibcf17f7bbea4923abc5d1713227568bb35c6674b

This adds parellel rules to the ones added for media_rw_data_file
to allow apps to access vfat under sdcardfs. This should be reverted
if sdcardfs is modified to alter the secontext it used for access to
the lower filesystem

Change-Id: Idb123206ed2fac3ead88b0c1ed0b66952597ac65
Bug: 62584229
Test: Run android.appsecurity.cts.ExternalStorageHostTest with
      an external card formated as vfat
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62591065
Bug: 62658302
Test: Attributes present in policy and CTS passes.  sepolicy-analyze also
works on platform-only policy.
Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762

* changes:
  Merge changes from topic 'fix-neverallow-violation' into oc-dev am: 3692b318 am: 97a4c1c9
  radio: disalllow radio and rild socket for treble devices am: d3381cd9 am: 516d8555

am: 760674da

Change-Id: Ibf3d635255104966af4d0b3004cee8babeffc4f9

am: 97a4c1c9

Change-Id: I7397ec9386f7f2afdbd44186e2e81ecac1ac48b1