Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

This is needed in order to include profile files in bugreports.

Bug: 28610953
Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1

Allow log.tag and persist.log.tag as log_tag_prop

Bug: 28942894
Change-Id: I05766b99b9535a79a39adc55cad004decd52956e

Bug: 28748264
Change-Id: I848c448e43d48d245d998ff22547bc67a640ab96

Also allow shell to set persist.log.tag.*

Bug: 28942894
Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b

The system_server needs to rename these files when an app is upgraded.

bug: 28998083
Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a

(Cherry picked from commit 38ac77e4)

This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

SetupWizard initiates video playback using MediaPlayer API. Media server
should be able to handle preloads file descriptors

Bug: 28855287
Change-Id: I529dd39b25b852787b3d1708a853980cf382f045

Bug: 22775369
Change-Id: Iae362fcc371bab1455dda733f408f005c7eec3f8

A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

The system_server needs to clear these markers along with other app
data that it's responsible for clearing.

bug: 28510916
Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649

Adds the rules for /data/cache used for devices which do
not have a cache partition.

Bug: 28747374
Change-Id: I7c749e7692c9b8eab02029bbae5a3c78585030da

* changes:
  Sepolicy: Allow debuggerd to dump backtraces of Bluetooth
  Sepolicy: Refactor long lines for debuggerd backtraces

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72a)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a

Allow to dump traces of the Bluetooth process during ANR
and system-server watchdog dumps.

Bug: 28658141
Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82

Split single lines in preparation for new additions.

Bug: 28658141
Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf

untrusted_app lost the ability to read files labeled as sysfs to prevent
information leakage, but this is trivially bypassable by spawning an
isolated app, since this was not taken away from isolated app.
Privileges should not be gained by launching an isolated app, and this
one directly defeats that hardeneing. Remove this access.

Bug: 28722489
Change-Id: I61d3678eca515351c9dbe4444ee39d0c89db7a3e

To avoid audit messages that arise because there is no way to create a
file without also trying to open and read it.

Bug: 28241500
Change-Id: Id1daaf190b36eda9775e00701cd7241991f65a2a

This policy takes effect only when building with
SANITIZE_TARGET=address and allows the Zygote to load libraries from
/data. That's where ASan-instrumented copies of system libraries are
located. 32-bit library directories have been added a while back;
this CL extends the same policy to 64-bit directories.

Bug: 25751174
Bug: 28680288

(cherry picked from commit dda55908)

Change-Id: Ieb4701b78db9649ec8563f2962a69db537ae61b3

Add pinner service to system_service services.
Add CAP_IPC_LOCK permissions to system_server in order to allow
system_server to pin more memory than the lockedmem ulimit.

bug 28251566

Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984

Fast system -> lock wallpaper migration wants rename, not copy.

Bug 27599080

Change-Id: I4b07dff210fe952afb4675eecba3c5f7bf262e83

There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. In this case
the device node links used to compute the SELinux context are not known
and the node is created under the generic context: u:object_r:block_device:s0.

Ueventd has been patched to relabel the nodes on subsequent add events but
it needs permissions to be allowed to do it.

BUG=28388946

Signed-off-by: Mihai Serban <mihai.serban@intel.com>

(cherry picked from commit d41ad551)

Change-Id: I26838a3a9bc19b341e7176e5dc614827232014bf

It doesn't ever make sense to attempt to load executable code
from these files. Add a neverallow rule (compile time assertion and
CTS test).

Bug: 27882507

(cherry picked from commit 50ba6318)

Change-Id: Ifab6e46a077a87629b4d3c7ada1050f2ab6931d5

The misc_block_device partition is intended for the exclusive
use of the OTA system, and components related to the OTA system.
Disallow it's use by anyone else on user builds. On userdebug/eng
builds, allow any domain to use this, since this appears to be used
for testing purposes.

Bug: 26470876

(cherry picked from commit 2c7a5f26)

Change-Id: I40c80fa62651a0135e1f07a5e07d2ef65ba04139

It doesn't make any sense for debuggerd to ever attempt to ptrace
itself. A debuggerd crash can't be debugged via debuggerd.

Bug: 28399663
Change-Id: I710d474e89d121385ef423b7bed9673a90e0759b

TIOCGWINSZ = 0x00005413

avc: denied { ioctl } for comm="ls" path="socket:[362628]" dev="sockfs" ino=362628 ioctlcmd=5413 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

Bug: 28171804
Change-Id: I460e2469730d0cd90d714f30803ef849317d4be7

camera_device was previously removed in AOSP commit: b7aace2d
"camera_device: remove type and add typealias" because the
same domains required access to both without exception, meaning
there was no benefit to distinguishing between the two. However,
with the split up of mediaserver this is no longer the case and
distinguishing between the camera and video  provides a legitimate
security benefit. For example, the mediacodec domain requires access
to the video_device for access to hardware accelerated codecs but does
not require access to the camera.

Bug: 28359909
Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

bug: 22990512
Change-Id: I39baf6594cfcf56f5461ba54a7cdf6c9e161d834