This reverts commit 942500b9.

Bug: 75287236
Test: boot a device
Merged-In: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
(cherry picked from commit a6d9d6b6)

See also go/perfetto-io-tracing-security.

* Grant CAP_DAC_READ_SEARCH to traced_probes.
* Allow traced_probes to list selected labels.
* Change ext4 and f2fs events to be available on user builds.

Bug: 74584014
Cherry-picked from aosp/631805
Change-Id: I891a0209be981d760a828a69e4831e238248ebad
Merged-In: I891a0209be981d760a828a69e4831e238248ebad

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc

Test: Builds

Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0

A default value of persist.radio.multisim.config can be set by SoC
vendors, and so vendor-init-settable should be allowed to it.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
Merged-In: Ie62b91e7e3d7e05425b742838417f1cab7b3fed4
(cherry picked from commit ac8c6e3d)

Give statsd rights to connect to perfprofd in userdebug.

(cherry picked from commit 488030ee)

Bug: 73175642
Test: mmma system/extras/perfprofd
Merged-In: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd
Change-Id: Idea0a6b757d1b16ec2e6c8719e24900f1e5518fd

The ConfirmationUI API has a callback interface by which confirmation
results are presented to the calling app. This requires keystore to call
into apps.

Test: Device boots and no more denials when call back is delivered to
      apps.
Bug: 63928580
Change-Id: Ie23211aeb74c39956c3c3b8b32843d35afa1315a

Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16

Kernel modules are not permitted to be on /system partition.
That was one of Treble requirements in O:
https://source.android.com/devices/architecture/kernel/modular-kernels#file-locations

Bug: 74069409
Test: pixel/nexus devices don't have LKMs in /system, so this change
shoudl be harmless.
Test: walleye boots without issues from modprobe.
Merged-In: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1
Change-Id: I8b3aeb55aacb3c99e0486224161d09a64bb52cd1

(cherry picked from commit 6ef9f523)

ro.config.low_ram should be set on Android Go devices by SoC vendors,
and the value can be read by vendor components.

Bug: 76132948
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
Merged-In: I6ac98fa58cf641da4565d6277898fc5e5e6ceca1
(cherry picked from commit 7dd2e025)

Add sepolicy rule to grant Wifi HAL permission to use SIOCSIFHWADDR
ioctl. This permission is needed to dynamically change MAC address of
the device.

We are moving the implementation of setting the MAC address from
WifiCond to Vendor HAL to give vendors flexibility in supporting
Connected MAC Randomization. Will clean up WifiCond sepolicy afterwards.

Bug: 74347653
Test: Verified manually
Change-Id: I334cefddf385ecb1ee169eb692c4e0060c26d6d9

Test: manual
Bug: 75318418
Merged-In: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7
Change-Id: I700c1b8b613dba1c99f4fbffdd905c0052c1b2e7

Bug: 74182216
Test: build policy
Change-Id: Idf90c1a96943266d52508ce72b8554d8b5c594c9
(cherry picked from commit 09b1d962)

With this attribute it will be easier to reference /proc files.

Bug: 74182216
Test: policy builds
Change-Id: I5b7da508d821e45f122832261a742a201e8fdf2c
(cherry picked from commit 41bf08e5)

This reverts commit 88cd813f.

Bug: 75287236
Test: boot a device
Change-Id: Id1bc324e7bd0722065d8a410af31fd6b7aaa9d1c
Merged-In: Id1bc324e7bd0722065d8a410af31fd6b7aaa9d1c
(cherry picked from commit 942500b9)

persist.sys.usb.usbradio.config can be read in vendor init scripts.

Bug: 75202311
Bug: 74266614
Test: succeeded building and tested on pixels
Change-Id: Ib07a436dd22b4b445fd114cc1d0df7c3e7a21527

Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.

  https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/

This change allows dexopt operations to 'getattr' those symlinks during
OTA.

Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
Merged-In: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
(cherry picked from commit 88cd813f)

Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4)

Allow init the ability to relabel recovery block devices. In the case
where we have recovery as a chain partition, due to its presence in
early mount node, init, in first stage itself would require relabel
permissions for the restorecon operation on recovery block device.

Bug: 73642793
Test: On bootup, recovery partition gets the appropriate se-label.
      Perform OTA on non-A/B device with recovery as chain partition,
      now the recovery partition gets upgraded successfully, now that
      it has the correct se-label.

Change-Id: I370c510320e78ab78c9c55573073415b4983d0f6
Merged-In: I370c510320e78ab78c9c55573073415b4983d0f6
(cherry picked from commit bc14ee3c)

Bug: 64195575
Test: boot a device

Change-Id: I7f7deb5e2c5c6e0a75cf22eb610a7973b5be0d7e
Merged-In: I7f7deb5e2c5c6e0a75cf22eb610a7973b5be0d7e
(cherry picked from commit a47a1c25)

vendor-init-settable should be allowed to ro.enable_boot_charger_mode so
that SoC vendors can set its default value.

Bug: 74421250
Test: succeeded building and tested with taimen
Change-Id: I2859aab29fefb7882989413a089b0de55142d2f1
Merged-In: I2859aab29fefb7882989413a089b0de55142d2f1
(cherry picked from commit 46bc518c)

Bug: 69623109
Change-Id: I7d194a3489fc5ff278cef7bebe9bfe6c39d3b2b8
(cherry-picked from 4a40c592404bdc2032067f4a3fac2f33b9246aa0)

Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8bf14466b6431a21bc5ccd4bf6ca3ea)

This reverts commit 016f0a58.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2

/odm partition isn't mandatory and the following symlinks will exist on
a device without /odm partition.

  /odm/app ->/vendor/odm/app
  /odm/bin ->/vendor/odm/bin
  /odm/etc ->/vendor/odm/etc
  /odm/firmware ->/vendor/odm/firmware
  /odm/framework ->/vendor/odm/framework
  /odm/lib -> /vendor/odm/lib
  /odm/lib64 -> /vendor/odm/lib64
  /odm/overlay -> /vendor/odm/overlay
  /odm/priv-app -> /vendor/odm/priv-app

This CL allows all domains to access the symlinks, also removes the
Treble compliance neverallows on them because the actual restrictions
should apply to the real path directly.

Bug: 70678783
Test: boot a device
Change-Id: If1522780a13710d8a592272dc688685cbae29f52
(cherry picked from commit dd6efea2)

This reverts commit eeda6c61.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1

Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e

For now, persist.rcs.supported has only vendor-init-settable, but it
turned out that the property should be read by vendor components in
some devices including 2018 Pixels.

Bug: 74266614
Test: succeeded building and tested on a blueline device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true

Change-Id: I926eb4316c178a39693300fe983176acfb9cabec

Test: eSE initializes at boot
Bug: 64881253
Change-Id: Ib2388b7368c790c402c000adddf1488bee492cce
(cherry picked from commit ea3cf000)

We already grant rw file access, but without dir search it's not much
use.

denied { search } for name="vibrator" dev="sysfs" ino=49606 scontext=u:r:hal_vibrator_default:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir permissive=0

Bug: 72643420
Test: Builds, denial gone
Change-Id: I3513c0a14f0ac1e60517009046e2654f1fc45c66

Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2

The kernel is unusual in that it's both a core process, but vendor
provided. Exempt it from the restriction against accessing files from
on /vendor. Also, rework the neverallow rule so that it disallows
opening/modifying files, but allows reading files passed over IPC.

Bug: 68213100
Test: build (this is a build-time test)
Change-Id: I2f6b2698ec45d2e8480dc1de47bf12b9b53c4446

Allow hal audio to use vndbinder

Change-Id: I83fc8d5b873bfc4e36f44e423d5740cb5e9739ee

persist.sys.zram_enabled is set in vendor/build.prop in taimen and walleye,
which was added after the initial whitelist.
go/treble-sysprop-compatibility requires whitelisting such a property to
allow it to be overridden by vendor/{default|build}.prop.

Bug: 73905119
Test: succeeded building and test with taimen
Change-Id: I931182aa05eb90c14df6e2c7cc26913f3874fa18

The sheer volume of these can cause confusion.

Sample denials (repeated for many processes):
denied { getattr } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1
denied { open } for path="/proc/1" dev="proc" ino=18608 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=dir permissive=1
denied { open } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1
denied { read } for name="status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1

Bug: 72643420
Test: Denials no longer present in permissive mode.
Change-Id: Ic07b9b0b59ca2122c4843095b63075ab8fd2c70b

The write is here: https://android.googlesource.com/platform/system/core/+/master/rootdir/init.rc#257.

Denials (on a device with the sysfs_vibrator label properly applied):
denied { write } for name="vibrator" dev="sysfs" ino=49613 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=dir
denied { write } for name="trigger" dev="sysfs" ino=49620 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file
denied { open } for path="/sys/devices/<redacted>/vibrator/trigger" dev="sysfs" ino=49620 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file

Bug: b/72643420
Test: Device boots, denials gone

Change-Id: Ib50d9a8533303daccb1330685e3204bea3fbd8a8

ro.radio.noril is used for modem-less products including emulator.

Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: I2270374a2523889aa4874840594d8267614f93ad

The webview_zygote is now launched as a child-zygote process from the
main zygote process.

Bug: 63749735
Test: m
Test: Launch "Third-party licenses" activity from Settings, and it
      renders correctly via the WebView.
Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1
Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08

Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.

This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.

Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
    tests)

Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db