am: de5db3ab

Change-Id: If61aa850ab0f6060ec7a863cc0107f68f1db9400

Test: manual
Bug: 37014702
Change-Id: Id43dc7a8506fe60015c2f82242ba45cf85d3e74b

am: e3be5d6b

Change-Id: I6f3544a3803217bd6380ebb9d7d0b84c403e60c2

am: c4055f0d

Change-Id: I4f307d49476c1e84d8dd17d02f383d7c10a959fc

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

am: fcfda81b

Change-Id: Iefe805a99749c29865b7f871cd4fc3fe11e1e536

This reverts commit 8c60f74d.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c

am: 216b377d

Change-Id: I2ff6397f145424266cd1091e338323cff283397c

Node for /dev/uhid driver needs to be accessible
by shell for the 'hid' command in frameworks/base/cmds.
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds'
in internal master.

Bug: 34052337
Test: CTS test for GamepadTestCase#testButtonA; Checked that
cat /dev/uhid does not raise permission error.

Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478

am: ce5ca4d0

Change-Id: I7f9cfa0a144ddfd796897446990f2b61108755c1

This is needed for devices using configfs, where init listens for
sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts
sideloading, minadbd (forked from recovery) sets the property to trigger
that action.

avc:  denied  { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0
scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
tclass=property_service

Bug: 35803743
Test: Device shows up in sideload mode.
Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4

am: c895f278

Change-Id: I49f55fba41b5242c7c4f36652afe9fee4808a349

Added rule:

/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]-service
u:object_r:hal_configstore_default_exec:s0

Bug: 37727469
Test: Built and tested on Sailfish
Change-Id: Icf167fad1c7e601c3662f527d1e3e844ff517b58

am: 611202ef

Change-Id: If107d1d43e9247be68065d711f471e538830ee18

am: ca0a352a

Change-Id: If463e73dce4db829206a4907a5fa12bfbe347fb9

am: 07667733

Change-Id: I0263926bbc950f0186bdd9a7fa3eb8b8f9072ee0

am: 9686cbcd

Change-Id: Id0bacbd2022c24615b9e99108af1a8510be248fb

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions.  Here we add socket setopt
to selinux rules.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device

Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685

am: bf030965

Change-Id: I3a10c619ce6e65ce531276ef4f97489605897062

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8e)

The service "storaged" implememnts a dump() interface for
dumpsys, and thus it needs to write its state to the fd
provided by dumpstate.

To correct this, and fix dumpstate, allow the permission.

Fixes:
avc: denied { use } for pid=3298 comm="dumpsys" path="pipe:[33470]" dev="pipefs" ino=33470 scontext=u:r:storaged:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=0

Test:
With a device that has storaged, issue the command:
$ adb shell dumpstate

Change-Id: I515e20f0328b6edc01ea2a7c53b1d3c4ca0e72ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: 7f4b2ad5

Change-Id: I3c10871ddc11f43f685ef4a7064d416a1ca450f1

am: 9e0d6aeb

Change-Id: I6e08846e7f580851f9cd0d7050097dcba0f5dbb8

Temporary workaround.

Bug: 37755687
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Merged-In: I001a42ea6463a1e137e1f5328755596f986323de
Change-Id: I001a42ea6463a1e137e1f5328755596f986323de

am: edd41261

Change-Id: I86efaccb28dc12db792370a4499540676c71a71c

am: ee8b67df

Change-Id: Ic2fe390f95f0be43ad39a50366e0300a398aa0ad

Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.

Release the head of the linked list.

Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7

Destroy the policy before exiting (for successful = expected runs).

Bug: 37757759
Test: ASAN_OPTIONS= SANITIZE_HOST=address m
Change-Id: I67e35fbede696ec020a53b69a6cef9f374fae167

am: 608969b3

Change-Id: I99225c48524600248d3d76a56368dc96da67caa0