Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1

Remove and neverallow isolated_app access to external storage and
USB accessories.

Test: aosp_angler-userdebug builds
Bug: 21643067
Change-Id: Ie912706a954a38610f2afd742b1ab4b8cd4b1f36

BUG: 31001899
Test: manual
Change-Id: I8d462b40d931310eab26bafa09645ac88f13fc97

Test: built and ran on device.
Bug: 31442830
Change-Id: Idd7870b4dd70eed8cd4dc55e292be39ff703edd2

If in invalid policy file is loaded check_seapp outputs:

Error: Could not lod policy file to db: Success!

The "Success" value is from errno, which is not manipulated
by libsepol. Also, load should have an a in it!

Hardcode the error message to:

Error: Could not load policy file to db: invalid input file!

Test: That when providing an invalid sepolicy binary, that the output
message is correct.
Change-Id: Iaf1f85eeb217d484997ee1367d91d461c1195bf4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Renaming vibrator sepolicy to remove the version number.
Also moving the related binder_call() to maintain alphabetical order.

Bug: 32123421
Change-Id: I2bfa835085519ed10f61ddf74e7e668dd12bda04
Test: booted, and checked vibrate on keypress on bullhead

Helps fix vibrator HAL open issue

avc: denied { write } for pid=907 comm="system_server" name="enable" dev="sysfs" ino=20423 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_vibrator:s0 tclass=file permissive=0

Bug: 32209928
Bug: 32225232

Test: m, booted, tested keypad to make sure vibrator works
Change-Id: I4977c42b7fac0c9503be04b6520487f2d6cbc903

Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: Ib6da57f6249a5571015b649bae843590229be714

Fixes failure in VPN connection

avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket

Test: VPN works
Bug: 32011648
Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9

Change-Id: Ic0dd1162e268ce54e11de08b18dd7df47ab12147

Fixes the following denials:
avc: denied { open } for pid=7530 comm="android.hardwar" path="/sys/devices/virtual/timed_output/vibrator/enable" dev="sysfs" ino=20519 scontext=u:r:android_hardware_vibrator_1_0_service:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
avc: denied { call } for pid=9173 comm="Binder:7735_C" scontext=u:r:system_server:s0 tcontext=u:r:android_hardware_vibrator_1_0_service:s0 tclass=binder permissive=1

Test: m
Bug: 32021191
Change-Id: I243a86b449794e3c2f0abf91ddcf405eff548d0c

check_seapp.c:993:6: warning: Passed-by-value struct argument contains
uninitialized data (e.g., field: 'data')

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I3fc2ca8f862356628864f2a37b8d39222c8d658a

Value stored to 'i' is never read.
Variable 'j' is never used.

Bug: 26936282
Test: WITH_TIDY=1 WITH_STATIC_ANALYZER=1 mm
Change-Id: I8dd266e639d089efd1fb1e1e0fca3899cf2a1553

N/A

Test: builds
Change-Id: I10a53c07f5b56c362cc599a901a2d74d7e96e917
Signed-off-by: liminghao <liminghao@xiaomi.com>

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Fixes the following denial:
avc: denied { call } for pid=791 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

Test: Builds, boots, vibrator works on bullhead
Change-Id: I56a0a86b64f5d46dc490f6f3255009c40e6e3f8f

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Ignore, as it's a side effect of mounting /vendor.

Bug: 31116514
Change-Id: If94a27a26181e40de5c5e60f5446de9ce2ccdba0
(cherry picked from commit 0f81e066)

No core android component needs access to /dev/snd/{seq,timer}, but
currently audioserver, bootanim, init, system_server and ueventd have
access. Seq and timer have been the source of many bugs in the past
[1]. Giving these files new labels without explicitly granting access
removes access from audioserver, bootanim, and system_server.
Init and ueventd still require access for /dev setup.

TODO: Explore unsetting CONFIG_SND_TIMER device kernels.

[1] https://github.com/google/syzkaller/wiki/Found-Bugs

Test: media CTS "cts-tradefed run cts -m CtsMediaTestCases" on Bullhead
and Dragon completed with no denials.

Bug: 29045223
(cherry picked from commit db4510d8)
Change-Id: I2d069920e792ce8eef70c7b4a038b9e7000f39f5

* changes:
  fix lax service context lookup (II)
  fix lax service context lookup

Test: builds and boots on Bullhead with no selinux audit messages.

Bug: 29795149
Bug: 30400942
Change-Id: I93295424a03488234b233d5e2f86d3bf329e53fd

Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac

avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd

Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.

Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b

As fallout from the corresponding fix in libselinux,
this patch adds the missing services without changing
semantics.

Test: bullhead builds and boots

Bug: 31353148
Change-Id: I21026c9435ffef956a59d61c4903174ac7b1ef95

Inform checkfc about new service label backend.

Test: bullhead builds

Bug: 31353148
Change-Id: I499da36108e67483a4f9a18fd8cc7c8f13419abd

android.hardware.nfc@1.0-service is the generic binderized
HIDL package implementation of android.hardware.nfc@1.0

Denials:
avc: denied { read write } for pid=432 comm="android.hardwar"
name="pn548" dev="tmpfs" ino=10228
scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_device:s0 tclass=chr_file

avc: denied { search } for pid=443 comm="Binder:430_1" name="nfc"
dev="dm-0" ino=670433 scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_data_file:s0 tclass=dir

Test: pass

Change-Id: Id022b8d1706253ef65a37406c74ff883e12415b2
Signed-off-by: Iliyan Malchev <malchev@google.com>

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88