Access to modifying methods of ProxyService is
checked in implementation.

Bug: 27337770
Change-Id: I718ea8f4fd6be940ee9ef57f0571d884a013489b

The changes to ptrace in
https://android-review.googlesource.com/#/c/175786/ (removing it from
app.te and only adding it to isolated_app and untrusted_app) broke
WebView crash handling in cases where privileged apps (like gmscore) use
WebView.

The only way to fix this would be to allow priv_app to self-ptrace as
well. :/

Bug: 27697529
Change-Id: Ib9a3810dddc9f4213b6260133cbae23f669ae8dc

SELinux label is created for contexthub_service system service.

ContextHub service manages all available context hubs and serves fulfil communication between apps
and underlying context hub hardware.

Change-Id: I8470fedd9c79a00012e1cdb9b548a1b632ba7de6

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

(cherry-picked from commit: 9ed71eff)

Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b

Remove permissions which are already covered by other permissions.

Found by running:

  sepolicy-analyze path/to/sepolicy dups

No functional change.

Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71

Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely.  Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.

Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be

Bug: http://b/27367422
Change-Id: I936c16281e06214b35f8d245da8f619dc92ff15f
(cherry picked from commit 48141c36)

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

Addresses:
avc:  denied  { find } for service=media.drm pid=6030 uid=10012
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:mediadrmserver_service:s0 tclass=service_manager

Bug: 27553530
Change-Id: I060de7ee1f66c7a545076b7de8363bebaac61f2c

Bug: 27531271
Change-Id: I3c5eee86d09696373ab155f93ba6c85da224cb51

It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.

Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

Vold needs to be able to query if the directory exists and
eventually to fix permissions and the owner.

Typical error:
W vold    : type=1400 audit(0.0:485): avc: denied { getattr } 
for path="/data/misc/profiles/cur/11/foreign-dex" dev="dm-2" 
ino=343857 scontext=u:r:vold:s0
tcontext=u:object_r:user_profile_foreign_dex_data_file:s0 tclass=dir 
permissive=0


Bug: 27517932
Change-Id: Iff10c864634baa97cc814916ee7495b262e0c7eb

Bug: 27511071
Change-Id: I99ea21638a4df8ad1f815d91bb970e1f8f143030

- Required to query cpusets information.

Bug: 22855417
Bug: 27381794
Bug: 27498731

Change-Id: I6d192aad2135d99a6c9cdaf97696b0822bd21897

Bug: 27511071
Change-Id: I737aa9daac6c78846fe375300c3338e401d733ac

It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.

Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc

Both appdomain and priv_app can set the default ringtones, so the
cache files need to be mlstrustedobject.

avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0

Bug: 27366059
Change-Id: Ib362f58b180a62bd46800083d6c538426f955b10

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

(cherry picked from commit 6cb2c893)

Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef

Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes").  This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).

Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary.  Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes.  For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 01d95c23)

Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114

For apps installed /data (vs the system image), Otapreopt puts
A/B artifacts alongside the regular oat location with a "b" suffix.

Give Otapreopt the right to create and write such files.

Bug: 25612095
Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80

system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.

Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca

no longer used nor desired.

Change-Id: Iac447fb2291371caa4a8ec255db114d9f7ccdddb

Bug: 27239233
Change-Id: I82e3451542f08de67ad950223be90e37a2d3e899

This reverts commit b5594c27.

Bug: 27239233
Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2