Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions.  Here we add socket setopt
to selinux rules.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device

Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8e)

The service "storaged" implememnts a dump() interface for
dumpsys, and thus it needs to write its state to the fd
provided by dumpstate.

To correct this, and fix dumpstate, allow the permission.

Fixes:
avc: denied { use } for pid=3298 comm="dumpsys" path="pipe:[33470]" dev="pipefs" ino=33470 scontext=u:r:storaged:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0

Test:
With a device that has storaged, issue the command:
$ adb shell dumpstate

Change-Id: I515e20f0328b6edc01ea2a7c53b1d3c4ca0e72ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Temporary workaround.

Bug: 37755687
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Merged-In: I001a42ea6463a1e137e1f5328755596f986323de
Change-Id: I001a42ea6463a1e137e1f5328755596f986323de

Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.

Release the head of the linked list.

Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7

Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167

This was accidentally omitted from all_untrusted_app

While I'm here, split across mutiple lines and alphabetize.

Test: policy compiles.
Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51

These were missing when the sepolicy was migrated.

Addresses denials:

E SELinux : avc:  denied  { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0

Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file

Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
(cherry picked from commit ca097979)

Bluetooth needs the capability to set audio-related threads to be RT
scheduled.  Grant it sys_nice.

system_server needs to set priority for the Bluetooth HAL.  Allow it.

Bug 37518404
Test:  Play Bluetooth audio, confirm RT scheduling with systrace
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f

Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.

The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.

Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c

Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36

Bug: 37476041
Test: make, pair and connect to HID device
Change-Id: Ic7e81382994769e3f3a91255dcf3624edeaf6bfd

The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).

Part of a multi-project change.

Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests

Merged-In: I7b9cfd7f3c3509f3e41f0590ab650bd85faab340
(cherry-picked from commit 1103f963)

Change-Id: I6d69d463af7a0a93391dd4b7edd5b700012ba58c

This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

Encountered more denials on sailfish:

avc:  denied  { read } for  pid=439 comm="recovery" name="thermal"
dev="sysfs" ino=28516 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0

avc:  denied  { read } for  pid=441 comm="recovery"
name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0

Bug: 36920500
Test: sideload a package in sailfish
Change-Id: Ib4e89ba48cdc383318e5f3b7b15f542434e43564

Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.

Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
      that no audited (granted) avc messages for bluetooth exist in
      in the logs.

Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085

These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.

Addresses denial:

init    : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0

Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215

These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.

-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else

Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket

Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0