am: 4f6e5b98

Change-Id: I9b9142f1bc2a467c365481f4f34b5a308b93de5d

am: e14d6a98

Change-Id: Ie5fcb6dcdcc67f13907fa404fe9124a6e9113326

This is needed to retain app's previous access to
/sys/devices/system/cpu. When these files were previously
labeled in file_contexts, symlinks were labeled as
sysfs_devices_system_cpu. When labeling was moved to genfs_contexts
symlinks all have the default sysfs label.

avc: denied { getattr } for comm="main"
path="/sys/devices/system/cpu/cpu0/cpufreq" dev="sysfs" ino=41897
scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:sysfs:s0 tclass=lnk_file permissive=0

Change-Id: Idaa565390bca13d3819e147fcea4214956c0f589
Bug: 64270911
Test: build aosp_marlin
(cherry picked from commit 8d021a94)

Bug: 63600413
Test: VTS, instrumentation, audit2allow
Change-Id: I57c0150a52c13f1ce21f9ae2147e3814aad0fb7e

am: 2049efa4

Change-Id: I75c95bd95d018fed355706c128540408c6a327b6

am: 16145a0c

Change-Id: I4fcf3873dae33389c3211a056b7404c7470d3617

Commit 780a71e7 changed ueventd's selinux label lookup from /dev/input/
to /dev/input which no longer matches the regex in core policy
file_contexts. Fix the regex to match /dev/input and /dev/input/.

avc: denied { read } for name="input" dev="tmpfs" ino=14092
scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0
tclass=dir
avc: denied { open } for path="/dev/input" dev="tmpfs"
ino=14092 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:device:s0 tclass=dir

Change-Id: I8f42f5cd96fc8353bf21d3ee6c3de9e2872f229f
Fixes: 64997761
Fixes: 64954704
Test: no camera HAL denials

am: 9c66416f

Change-Id: Ia4bd460b21d04050958d64d8e2008a9a82f969ee

am: cdf186e4

Change-Id: I89df277c7a3ce19a69f6d3b5f2a4960515da8a2c

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/



Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717

Configstore HAL uses a seccomp filter which blocks the standard
path of execing crash_dump to collect crash data. Add permission
to use crash_dump's fallback mechanism.

Allowing configstore to write to the socket provided by tombstoned
required either exempting configstore from a neverallow rule, or
removing the neverallow rule entirely. Since the neverallow rule
could potentially prevent partners for doing security hardening,
it has been removed.

Bug: 64768925
Bug: 36453956

Test: killall -ABRT android.hardware.configstore@1.1-service
    Results in a call stack in logcat, and tombstone in
    /data/tombstones
Test: configstore runs without crashing
Test: SANITIZE_TARGET="address coverage" make vts -j64
    vts-tradefedrun commandAndExit vts --skip-all-system-status-check \
    -primary-abi-only --skip-preconditions -l VERBOSE --module \
    VtsHalConfigstoreV1_0IfaceFuzzer

Change-Id: I1ed5265f173c760288d856adb9292c4026da43d6
(cherry picked from commit 9924d782)

Bug: 64982450
Test: manual
Change-Id: Ic5d25b8a12271e5bfa71e30843a36fb643b914ff

am: cf627a49

Change-Id: I4c5d4a99d99bc95957c0083068f9299d769e9d57

am: c5bdf47c

Change-Id: Ic0c64373023fad16c4c54f57851cef4bf5360d1a

* changes:
  DO NOT MERGE: use 'expandattribute' for untrusted_app_visible_hwservice
  DO NOT MERGE: Add a way to allow untrusted_apps to talk to halserver domains
  DO NOT MERGE: Revert "Revert "Remove neverallow preventing hwservice access for apps.""

Bug: 62658302
Test: Boot device and observe no new denials

Change-Id: If9a21610897b14a419f276289818127412c29c55
Signed-off-by: Sandeep Patil <sspatil@google.com>

Vendor HAL extentsions are currently allowed to discover hardware
services that are labelled with 'untrusted_app_visible_hwservice'.
However, the policy doesn't allow these apps to talk to these services.
This CL makes sure that is now possible via the
'untrusted_app_visible_halserver' attribute for vendor domains that host
such a service.

Bug: 64382381
Test: Boot device and observe no new denials.

Change-Id: I1ffc1a62bdf7506a311f5a19acdab8c7caec902b
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 282d599f

Change-Id: I0dd51bc443866c43407f72ccf1da55fb85833abf

am: 51572137

Change-Id: I2137c4aff726537196f6799d5368fa2391e7f019

am: 7c55e171

Change-Id: I266e4a9374fa256adfba46a51325478e288fd22c

Performanced needs to talk to the permission service to verify
permissions of clients to access certain restricted scheduler
policies.

Bug: 64337476
Test: performance_service_tests passes; logs do not contain avc
      denials for performanced -> permission service.

Change-Id: I31618ab1d3e79c3c10138d567b0f5606527020f9

This reverts commit ceed7204.

New HALs services that are added in the policy while the CL was reverted
will are not made visible to applications by default. They are:
  hal_neuralnetworks_hwservice
  hal_wifi_offload_hwservice
  system_net_netd_hwservice
  thermalcallback_hwservice

Bug: 64578796
Test: Boot device

Change-Id: I84d65baddc757a5b0a38584430eff79a383aa8e0
Signed-off-by: Sandeep Patil <sspatil@google.com>

Make sure that any attributes removed from policy are declared
in the mapping file, in case they are relied upon by vendor
policy.

Bug: 36899958
Test: Builds successfull, but not with removed attribute not
in mapping file.
Change-Id: I25526cd88a50e90513ae298ccf4f2660e4627fb4

Bug: 63910933
Test: boot sailfish in normal mode, checks adbd is started
Test: boot sailfish in recovery mode, checks adbd is started
Test: boot bullhead in normal mode, checks adbd is started
Test: boot bullhead in recovery mode, checks adbd is started

Change-Id: I35ed78a15a34626fbd3c21d030e2bf51033f7b79

Test: gts-tradefed run gts-dev --module=GtsSecurityHostTestCases
Bug: 64127136
Change-Id: Ib50294488bb1a5d46faed00d6954db64648fed20

am: 1d5131e9

Change-Id: Ib7c75f525c905b0bbdb2a9dae43ba2fe4a209122

am: 78b3d573

Change-Id: I097dadd96f4b1c73e0092ac57e4e4d126461cc8a

The treble compatibility tests check for policy differences between old
and new policy.  To do this correctly, we must not modify the policy which
represents the older policies.  Move the files meant to be changed to a
different location from the ones that are not meant to be touched to avoid
any undesired changes to old policy, e.g. commit:
2bdefd65078d890889672938c6f0d2accdd25bc5

Bug: 36899958
Test: Build-time tests build.
Change-Id: I8fa3947cfae756f37556fb34e1654382e2e48372

am: 124e1f65

Change-Id: Iba3dd4ccfd1335d5cdb6b686865096f60daaae39