This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)

am: 66adf0cd

Change-Id: I88a90ad2fc9243724e4ddb6f9da469857ffd115b

am: caf0139b

Change-Id: I874a41e0072352f5b8a0fc2b0080913c206520e1

am: 1d401545

Change-Id: I7502e6ff1e45c12340b9f830bcc245fd2c80996e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours am: a0fac585  -s ours
am: 8ded6f42  -s ours

Change-Id: I19963a23f98c60613a511eed2b2f8938317002f8

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9 am: 0bba3d44  -s ours
am: a0fac585  -s ours

Change-Id: I37020b064e0ab86621c567120e362a39cb27ddc3

am: 1ee556ed  -s ours

Change-Id: I3cc14d0b4d61136651c89671d2b134a86fc9450f

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0 am: a401c9f9
am: 0bba3d44  -s ours

Change-Id: I7d9dfa298bc3f7f278284a09b5c47bd2d1c95e1d

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0
am: a401c9f9

Change-Id: I37ef9b2b0ca3ea3012324a13592d60b70645bb8e

am: b7602d76

Change-Id: Ic731e6165c89f205bce4c96fbf760454550acd81

UsbDeviceManager in system_server now
helps set up the endpoint files.

Bug: 72877174
Test: No selinux denials
Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e am: ac6dcce0

Change-Id: I8b2fd267b39b579bf34f23822698cda23c31e77e

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb am: 89455f2e

Change-Id: Ic7c0f37773c22bd11e9b48e07bc46766d053da58

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d am: e9a260bb

Change-Id: Id65e91d0c3bdced074a6aa99902fcdfc0d97628c

[automerger] Fix sepolicy-analyze makefile so it is included in STS builds am: 7dab0f94 am: fa412d2d

Change-Id: I5ae440fe30e214250bf66ea023104ab383700a54

Change-Id: I9a4944f131547c11329167bc327c0de2c08e1f20

Bug:74022614
Test: `sts-tradefed run sts -m CtsSecurityHostTestCases -t
android.cts.security.SELinuxNeverallowRulesTest`

Merged-In: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b
Change-Id: I53f7bef927bcefdbe0edd0b919f11bdaa134a48b

am: 0d12c356

Change-Id: I245c2914f51f317758148123dc1368c326f562f1

am: 324e6ef5

Change-Id: I6ed15ce344d61eab4d81928b09020d7fb0fb757a

am: 17d008ae

Change-Id: Ib6305067a4f3bf30df918c63a049b7d689f9c255

We already grant rw file access, but without dir search it's not much
use.

denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0

Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66

am: 50830871

Change-Id: I23c9f800c4faab0d03a9d239bbb2d0a61b6263ab

am: 42756b76

Change-Id: Ia8e879b894c75a28461bd90e86888703c20a604a

am: a6acef9a

Change-Id: I4a6816ae90ced3afb04f8d40afb2267f3a2994cf

Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2

am: 426f78ca

Change-Id: I4f1983feed32c668d723932c61a6f51692c61f53

am: 7a22490c

Change-Id: I3e6731b04314f9c54c016c1c7584242cdd12e75f

am: 609aa6b8

Change-Id: I261753961c59527061254f0b1c7adca50a7c2bce

am: e39ba338

Change-Id: I56e9182157c8de6c3135ae8a33962bca46c405dd

am: d69acbbf

Change-Id: Id2e01070d5669362b78f4adc865c4ff358711e60

am: 142bb78c

Change-Id: I1e721f2bfb59d2510769b7ddae9c22d5c8ae7dba

am: 5b1c3b69

Change-Id: I8808fd94c8130a551803b2ed184c325d3dad86cb

am: 5d3e4f0c

Change-Id: I56412b40f7f306ac32b588aba8de9a48a4f16c00

am: ebc7b434

Change-Id: If7f94440e35ad5a009ac6fa9d1cda3cb4fc17825

The kernel is unusual in that it's both a core process, but vendor
provided. Exempt it from the restriction against accessing files from
on /vendor. Also, rework the neverallow rule so that it disallows
opening/modifying files, but allows reading files passed over IPC.

Bug: 68213100
Test: build (this is a build-time test)
Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446

avc: denied { getattr } for path="/vendor/framework"
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=dir

Bug: 68826235
Test: boot Taimen, verify denials no longer occur.
Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88