Bug: 75987246
Test: succeeded builing and tested with taimen
Change-Id: I2d8bc91c305e665ed9c69459e51204117afb3eee
Merged-In: I2d8bc91c305e665ed9c69459e51204117afb3eee
(cherry picked from commit ac2e4cce)

Addresses:
avc: denied { find } for
interface=android.hardware.tetheroffload.config::IOffloadConfig
scontext=u:r:system_server:s0
tcontext=u:object_r:default_android_hwservice:s0
tclass=hwservice_manager

Bug: 77855688
Test: build/boot Sailfish, turn on tethering, no selinux denial
Change-Id: I97cae0928b5311a4da41d19cbd5c863c3137a49f
(cherry picked from commit 3a346ea7)

* changes:
  Suppress spurious denial
  Suppress spurious denial

Addresses:
avc: denied { sys_resource } scontext=u:r:zygote:s0
tcontext=u:r:zygote:s0 tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: If2413c3005df02a70661464d695211acbcda4094
(cherry picked from commit 816e744d998cb327fbd20f3124b22398bea2b8e4)

Addresses:
avc: denied { sys_resource } for comm="ip6tables" capability=24
scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0
tclass=capability

Bug: 77905989
Test: build and flash taimen-userdebug
Change-Id: Ic5d7c96152b96b55255eeec00b19948f38c1923c
(cherry picked from commit 443a43c9)

Bug: 69390067
Test: manual run of treble_sepolicy_tests
Change-Id: I1b772a3f7c96875765c75bfc1031f249411c3338
Merged-In: I1b772a3f7c96875765c75bfc1031f249411c3338
(cherry picked from commit 9fbd6520)

We often see the following denials:

avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0
avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0

These are benign, so we are hiding them.

Bug: 37778617
Test: Boot device.
Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a

Without this, we only have visibility into writes.

Looking at traces, we realised for many of the files we care about (.dex, .apk)
most filesystem events are actually reads.

See aosp/661782 for matching filesystem permission change.

Bug: 73625480

Change-Id: I6ec71d82fad8f4679c7b7d38e3cb90aff0b9e298

We have seen crash_dump denials for radio_data_file,
shared_relro_file, shell_data_file, and vendor_app_file.  This commit
widens an existing dontaudit to include them as well as others that we
might see.

Test: Boot device.
Change-Id: I9ad2a2dafa8e73b13c08d0cc6886274a7c0e3bac

This will allow adb shell getprop ro.vendor.build.security_patch to
properly return the correct build property, whereas previously it was
offlimits due to lack of label.

Test: adb shell getprop ro.vendor.build.security_patch successfully
returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android
.mk files

Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49

This reverts commit db83323a.

Reason for revert: breaks some builds due to duplicate genfs entries

Change-Id: I47813bd84ff10074a32cf483501a9337f556e92a

cgroupfs doesn't allow files to be created, so this can't be needed.

Also remove redundant neverallow and dontaudit rules. These are now
more broadly handled by domain.te.

Bug: 74182216

Test: Denials remain silenced.

Change-Id: If7eb0e59f567695d987272a2fd36dbc251516e9f

(cherry picked from commit 8e8c1093)

This allows system_server to access it for determining battery stats
(see KernelMemoryBandwidthStats.java).

batterystats-wo: type=1400 audit(0.0:429): avc: denied { read } for name="show_stat" dev="sysfs" ino=48071 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

Bug: 72643420
Bug: 73947096

Test: Denial is no longer present.
Change-Id: Ibe46aee48eb3f78fa5a9d1f36602c082c33036f7

(cherry picked from commit a8b3634d)

Bug: 73405145
Test: cts-tradefed run cts -m CtsMediaTestCases -t android.media.cts.AudioRecordTest#testRecordNoDataForIdleUids
Change-Id: I09bdb74c9ecc317ea090643635ca26165efa423a
(cherry picked from commit c5815891)
Merged-In: I09bdb74c9ecc317ea090643635ca26165efa423a

This is originally allowed in healthd but the permission
was not transfered to health HAL. A typical health HAL
implementation is likely to write battery info to kernel
logs.

Test: device has battery kernel logs with health HAL
      but without healthd

Bug: 77661605

Change-Id: Ib3b5d3fe6bdb3df2a240c85f9d27b863153805d2

This is needed to be able to scan the labels we have
permission on.

Denial:

04-06 12:52:22.674   874   874 W traced_probes: type=1400 audit(0.0:10314): avc: denied { search } for name="backup" dev="sda45" ino=6422529 scontext=u:r:traced_probes:s0 tcontext=u:object_r:backup_data_file:s0 tclass=dir permissive=0

Bug: 73625480

This should help fix presubmit tests.

Bug: 77634061
Test: Built policy.
Change-Id: Ib9f15c93b71c2b67f25d4c9f949a5e2b3ce93b9c

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

Remove unecessary access to /proc/net/xt_qtaguid/ctrl and
/dev/xt_qtaguid.

Bug: 68774956
Test: atest CtsNativeNetTestCases
Test: adb root; atest tagSocket
Change-Id: If3a1e823be0e342faefff28ecd878189c68a8e92

Bug: 72177715
Test: flash device and check incident output
Change-Id: I16c172caec235d985a6767642134fbd5e5c23912

Because applications should be able to set the receive
timeout on UDP encapsulation sockets, we need to allow
setsockopt(). getsockopt() is an obvious allowance as
well.

Bug: 68689438
Test: compilation
Merged-In: I2eaf72bcce5695f1aee7a95ec03111eca577651c
Change-Id: I2eaf72bcce5695f1aee7a95ec03111eca577651c

Test: build
Bug: 68774956
Change-Id: I0f9fd87eb41e67e14f35e49eba13e3d1de745250

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f843)

This is a partial cherry pick of commit 6231b4d9
'Enforce per-app data protections for targetSdk 28+'.

Untrusted_app_27 remains unreachable, but it's existence
prevents future merge conflicts.

Bug: 63897054
Test: build/boot aosp_walleye-userdebug
Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0
Merged-In: I64b013874fe87b55f47e817a1279e76ecf86b7c0
(cherry picked from commit 6231b4d9)

tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb

Update for debugfs labeling changes.

Update for simpleperf behavior with stack traces (temp file).

Bug: 73175642
Test: m
Test: manual - run profiling, look for logs
Change-Id: Ie000a00ef56cc603f498d48d89001f566c03b661

A default value of persist.sys.sf.native_mode could be set by SoC
partners in some devices including some pixels.
So it should have vendor_init_settable accessibility.

Bug: 74266614
Test: succeeded building and tested with a pixel device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true.

Change-Id: I5d7a029f82505983d21dc722541fb55761a8714d