am: 4587df0f

Change-Id: I38418dfd353bb6b8ab5333ef0fb5a3907e7d3eab

am: 2afdf49a

Change-Id: Ic017d638035ce5be10ac2aeda60049a1087d83df

am: f54b3622

Change-Id: I0a304ed2b5591e58b0e39b37cb9fb8f392fe663b

This new input selector allows phasing in new security policies by
giving app developers an opportunity to make any needed compatibility
changes before updating each app's targetSdkVersion.

When all else is equal, matching entries with higher
minTargetSdkVersion= values are preferred over entries with lower
minTargetSdkVersion= values.

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806

am: 1e2b5557

Change-Id: I8cc26d76dbdc2540d9d88d2df3101f358caa866a

am: 44badf75

Change-Id: I1116bc27b2a5deb4c51934d21a132279ab502ce3

am: 3b06b971

Change-Id: I3ea2bbb2ed2e1b2e9293b3766904b681a70e9896

am: e5d7a8ce

Change-Id: I3c4398a0845d98c9824bde7f6a96bce2ac4ca665

am: 6832909b

Change-Id: I0acd257b35f55e9f125ea805b2152aa1296ffa88

am: ee2faadc

Change-Id: Ic12fe80e16972a172092291058c12dd53c95ee14

am: 12649249

Change-Id: Idbccec64163fe70c146b653c0c71c6b14b8ba797

am: 8eb8beba

Change-Id: Ie468fabd56f01c1340c49632760ce1e7ba65420b

am: d734f151

Change-Id: I600ecaf5fac9401db036a733a7afa186f6de7eb2

am: 8f022478

Change-Id: Id2bf23854f29d453e8e280a50e6b2fee308e6db2

am: d1eb4564

Change-Id: Ic7a0b8ad7469778a2cf5ef2673de493fe34eabd9

am: 7bb3d92a

Change-Id: I77e60157551af8e13bb4fb45da86aae86347f084

am: 6f443b87

Change-Id: I46dc0e9a5350dca7861fc81f0cf00d698c57ec0b

am: ff5784f3

Change-Id: Ieb6e5cc4711add33fbd7b276bbbd362f249fb51e

am: 5b4f15e1

Change-Id: Ic7c0de32ac3970c000062bc35bb0c50254510b3a

Update shell.te to reflect the fact that hwbinder_user permission is for
lshal, not dumpsys.

Bug: 33382892
Test: pass
Change-Id: I1d298261cea82177436a662afbaa767f00117b16

Bug: 34135607
Test: hals work

Merged-In: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4
Change-Id: I6a1f87438bb5b540fce900e9ec5df07d3f4f6bd4

am: fdace232

Change-Id: I1bf9fc75321e57e9cf4c75b2fb46b66adfa1b720

am: a240947e

Change-Id: I508c25c5ea4c9e2c2b459e6247fdffd6412a2da6

am: daeb5e01

Change-Id: If2e1e939980f6c3c4c9aaf765b4418f11aef4084

am: f44c0dd7

Change-Id: Ic08c60058c959cd247849c43e76b5ea9971e3f5a

am: 530b8f52

Change-Id: Ide555826450bfc6872af89f3f5c3be27018fd7d9

am: 4cae28d4

Change-Id: Ie22e0c2a1c84188666a38dba21129e7547d83fbc

Bug: 35210697
Test: manual
Change-Id: I0e1e8923851f668d5fe6c210f411a8e4ff0470c7

Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue

Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464

On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.

See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103

The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.

The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.

Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .

This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.

Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e

am: 05984847

Change-Id: Ib897f3fcc8471c1f40b85650ee6c997f2da0d9de

am: 137923a1

Change-Id: I5748e38ffdbefa08b66132080c934c44c5d02327

am: 6ebcfe47

Change-Id: I6999a1aaf79a559e0477166523ee71cfbfeb3a1b

Use the default filesystem label from genfs_contexts for the directory
/sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly
attempting to relabel it.

There are three cases we need to consider:

1) Old-style tracing functionality is on debugfs
2) tracing functionality is on tracefs, but mounted under debugfs
3) tracefs is mounted at /sys/kernel/tracing

For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all
processes are allowed debugfs:dir search, so having the label be debugfs
instead of debugfs_tracing will not result in any permission change.

For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing,
which is the same as it is today. The empty directory
/sys/kernel/tracing wlll retain the sysfs label, avoiding the denial
below.

For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing
will have the debugfs_tracing label, where processes are allowed search
access.

Addresses the following denial:

avc:  denied  { associate } for  pid=1 comm="init" name="tracing"
dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0
tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0

Bug: 31856701
Bug: 35197529
Test: no denials on boot
Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f