More read rights are required now.

Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42

am: bb8a352f

* commit 'bb8a352f':
  Enable profman pretty printing

Change-Id: I4b074239ccd92992330647be359f081570eead1d

Bug: 28748264
Change-Id: I848c448e43d48d245d998ff22547bc67a640ab96

Allow priv_app, uncrypt, update_engine to access the OTA packages at
/data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks
the existence of the folder, and downloads the package there if present.

Bug: 28944800
Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5

am: ed413a82

* commit 'ed413a82':
  sepolicy: broaden system_server access to foreign_dex_data_file.

Change-Id: If6ef21fdca0da453a6bbf2093c2704a3e72c9bcf

am: a34afee0

* commit 'a34afee0':
  Allow shell to set log.tag.* properties

Change-Id: Ic716c9b5b90883c2be5a7ec2a88aa0cfbb31ce5e

Also allow shell to set persist.log.tag.*

Bug: 28942894
Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b

The system_server needs to rename these files when an app is upgraded.

bug: 28998083
Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a

am: 7005e25e

* commit '7005e25e':
  expose control over unpriv perf access to shell

Change-Id: I2ea512b705a480da5c7818601c584f696c7ba3b7

(Cherry picked from commit 38ac77e4)

This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f

am: a5d07925

* commit 'a5d07925':
  SELinux policy for /data/misc/profman

Change-Id: I323b969ba609518da59880e47d6e13686e1203e8

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

am: 0e1153ec

* commit '0e1153ec':
  Remove tee_device access from mediaserver

Change-Id: I23490556a7b0b3d9a5038ff2e1b0a6f384f629ec

am: d875ab61

* commit 'd875ab61':
  Allow mediaserver to read preloads_data_file

Change-Id: Ia974cd2351bbebb354273816bc9693eb97a60f41

SetupWizard initiates video playback using MediaPlayer API. Media server
should be able to handle preloads file descriptors

Bug: 28855287
Change-Id: I529dd39b25b852787b3d1708a853980cf382f045

Bug: 22775369
Change-Id: Iae362fcc371bab1455dda733f408f005c7eec3f8

am: 49ac2a3d

* commit '49ac2a3d':
  SELinux policies for /data/preloads directory

Change-Id: I3ce72279ba0a054527e860b8287c1a39e8d4fcfe

A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

am: 13bdd39c

* commit '13bdd39c':
  sepolicy: broaden system_server access to foreign_dex_data_file{dir}.

Change-Id: I0dae8380087edcc8b67210160526dcc41a69b9e4

The system_server needs to clear these markers along with other app
data that it's responsible for clearing.

bug: 28510916
Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649

am: ad7a0ad2

* commit 'ad7a0ad2':
  sepolicy: add support for devices without cache partition

Change-Id: I0900029daad0cd67a7ee38551d5fdf4187c49b8c

Adds the rules for /data/cache used for devices which do
not have a cache partition.

Bug: 28747374
Change-Id: I7c749e7692c9b8eab02029bbae5a3c78585030da

am: 26e675c6

* commit '26e675c6':
  sepolicy: add support for new tracefs

Change-Id: I947918e01e55c1a9850f1ecc8ed0eacd7ccd9883

am: 50c2909f

* commit '50c2909f':
  Sepolicy: Allow debuggerd to dump backtraces of Bluetooth
  Sepolicy: Refactor long lines for debuggerd backtraces

Change-Id: Icea6b1e115f829bd8eac04c9800e8884bc5bb0d4

* changes:
  Sepolicy: Allow debuggerd to dump backtraces of Bluetooth
  Sepolicy: Refactor long lines for debuggerd backtraces

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72a)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a

am: 1a5fcecc

* commit '1a5fcecc':
  DO NOT MERGE. Remove isolated_app's ability to read sysfs.

Change-Id: I5cc2439fc0366c56276a0ae8202e288de7f9a502

Allow to dump traces of the Bluetooth process during ANR
and system-server watchdog dumps.

Bug: 28658141
Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82

Split single lines in preparation for new additions.

Bug: 28658141
Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf

untrusted_app lost the ability to read files labeled as sysfs to prevent
information leakage, but this is trivially bypassable by spawning an
isolated app, since this was not taken away from isolated app.
Privileges should not be gained by launching an isolated app, and this
one directly defeats that hardeneing. Remove this access.

Bug: 28722489
Change-Id: I61d3678eca515351c9dbe4444ee39d0c89db7a3e

am: 95fd3816

* commit '95fd3816':
  Add CAP_IPC_LOCK and pinner to system_server

Change-Id: I3e87c17a0b1fc084499f94e1f8fff4bfdb098238

am: 8d19cabf

* commit '8d19cabf':
  dontaudit user_profile_foreign_dex_data_file open, read.

Change-Id: I1768b7916e244219338cb9dbc8e2cd43beed8751