Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5

* changes:
  NFC HAL no longer violates socket access restrictions
  Remove access to sock_file for hal_nfc

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Test: compiles
Bug: 37640900
Change-Id: Ia9960af9da880fd130b5fb211a054689e2353f1d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit ad41fa8d)

Rules defined in utrusted_app_all do not apply to all untrusted apps,
update the comments to reflect that.

Test: builds
Change-Id: I6f064bd93c13d8341128d941be34fdfaa0bec5da

Bluetooth needs the capability to set audio-related threads to be RT
scheduled.  Grant it sys_nice.

system_server needs to set priority for the Bluetooth HAL.  Allow it.

Bug 37518404
Test:  Play Bluetooth audio, confirm RT scheduling with systrace
Merged-In: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f

(cherry picked from commit 6eee6eb2)

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
  neverallow {
    untrusted_app_all
    -untrusted_app
    -untrusted_app_25
  } domain:process fork;

Test: sepolicy-analyze neverallow -w -n \
          'neverallow {} {}:binder call;'
      produces empty output instead of "Warning!  Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45

Test: gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC

bug:37548390
Change-Id: I9c2d446118d3a5f729730b75ec117954e383159b

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

This is a follow-up to cbc0d2bb which
introduced the typos.

Test: mmm system/sepolicy -- comments only change
Bug: 37640821
Change-Id: Ibe0eda0b3ee9bbfb1e33ef98f2e81267ec580e59

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd

Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc

This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640821
Change-Id: I28c27b369268e75ab6b2d27bcb30b88acb2732e6

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b

Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil    567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260

Allow the services to do binder calls to system_server in order to check
for app permissions.

Bug: 37542947
Test: Compiled and ran on device ensuring no permission errors
Change-Id: If91895607eb118f689cf2e11c63945e9f83bf2a0