am: 7a1074d2

Change-Id: I2dc21f2e4cb0fee5f072779728bb0a9394915d08

am: cda872a8

Change-Id: I364c5cc081f9c906e92844a9d456b78ae90a3895

am: a9be5320

Change-Id: Iee7069f192593f4b7588f8b6d272b1bef5fbd36c

am: 327d7cb9

Change-Id: Ie9399516244e38f0c5f57205fe9f0da35aec8ba7

iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.

Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd

am: 3f6b7ff0

Change-Id: I0639248d7f1e2ed1012a563c9b0b4db1fb651bb4

am: f84989e5

Change-Id: I4391c7b44d495efadf39b8f14cfccfe2d966b419

am: e5f4d874

Change-Id: Ibd9708b1db37e54946c856b7c52c1e1a7eb7c58d

Bug: 37646565
Test: build marlin-userdebug
Change-Id: I3325d027fa7bdafb48f1f53ac052f2a68352c1dc

am: 4d71b96e

Change-Id: I363c0ce1fc27d560da94b857d54a5149467d56ba

This adds a neverallow rules which checks that SELinux app domains
which host arbitrary code are not allowed to access hwservicemanager
operations other than "find" operation for which there already are
strict neverallow rules in the policy.

Test: mmm system/sepolicy -- neverallow-only change
Bug: 34454312
Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7

Test: mmm system/sepolicy -- this is just a comment change
Bug: 37640900
Change-Id: I7c96dde15f74822a19ecc1b28665913b54b3973b

am: 2a7f4fb0

Change-Id: Ia77557e2ef5aa124cb0d4a9e5f05300005a97bfd

Fixes issue where attributes used exlusively in neverallow
rules were removed from policy.

For on-device compile use the -N flag to skip neverallow tests.

Policy size increases:
vendor/etc/selinux/nonplat_sepolicy.cil 547849 -> 635637
vendor/etc/selinux/precompiled_sepolicy 440248 -> 441076
system/etc/selinux/plat_sepolicy.cil    567664 -> 745230

For a total increase in system/vendor: 266182.

Boot time changes:
Pixel uses precompiled policy so boot time is not impacted.
When forcing on-device compile on Marlin selinux policy compile
time increases 510-520 ms -> 550-560 ms.

Bug: 37357742
Test: Build and boot Marlin.
Test: Verify both precompiled and on-device compile work.
Change-Id: Ib3cb53d376a96e34f55ac27d651a6ce2fabf6ba7

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

am: 1f02d0cd

Change-Id: Ia2959645ff42bcb8fbaf1309f4122871c42b066d

am: 586598b6

Change-Id: I7c65133028d233914b852cdd4e3c4f6f2fc99718

am: 177cb0be

Change-Id: I456f31f2c674608a1e7188ec19f711512a761436

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260

am: 393c8e94

Change-Id: I82e1a41e1bd5c9195b5c4c21e7aa0848bc270ee5

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 37152880
Bug: 37554633
Test: adb shell am hang --allow-restart
Test: adb shell dumpstate
Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295

am: 8d567da2

Change-Id: I365cd6682093f1ef1148b1ac3b911ae5c2c46871

am: 7dace9ae

Change-Id: I1cee56f20312833ba50a00a1a75331ce53aa2978

am: 5b8e9f55

Change-Id: If677c4091bf45a09cdecf6c990099590e10a51a5

Bug: 37541374
Test: Build and boot sailfish

Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: 97903c05

Change-Id: Ida88d74292875a7f218e84d623d17b6e1286278d