* commit '7cd346a7':
  Allow recovery to create device nodes and modify rootfs

* commit '0055ea90':
  Allow recovery to create device nodes and modify rootfs

tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.

Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e

* commit '7adc8cfe':
  Allow adbd to write to /data/adb

adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895

(cherry picked from commit 973877db)

Change-Id: Ida2e0257c97941ab33ccdab59eb2cde95dca344f

They need to see when it changes so they know when netd bounces.

bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba

* zygote needs to be able to symlink from dalvik cache to system
  to avoid having to copy boot.oat
  (when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
  (the one that zygote creates)

(cherry-picked from AOSP master
83c5612e)

Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62

* commit '2d1650f4':
  allow system_server to set kernel scheduling priority

Addresses the following denial:

  avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855

* commit '683ac49d':
  recovery: allow changing unlabeled symbolic links

Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c

* commit '2c38b3b8':
  DO NOT MERGE: allow access to labeled executables in /system

Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604

Classes which statically read these files are no longer preloaded.

Bug: 18013422
Change-Id: Iafd127eff2ba95266f49f8d7c70bc9dd11624df4

* commit '480374e4':
  Fix compile time / CTS gps_data_files neverallow assertion

Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.

Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.

This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.

Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93

* commit '51bfecf4':
  Pull keychain-data policy out of system-data

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547

* commit 'ebfd9f87':
  allow oemfs:dir search

* commit '2380d05f':
  allow system_server oemfs read access

mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.

Grant search permissions on the oemfs directory, so that the files
within that directory can be read.

Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db

Bug: 17954291
Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d

* commit '0a52df50':
  Give bootanimation access to /dev/snd files so it can use tinyalsa

Bug: 17674304

Change-Id: Ide32833809bca8d3ed8ddc898748e25d7a692319

* commit 'f2c01189':
  zygote: allow replacing /proc/cpuinfo

* commit '49fd9567':
  Allow NFC to read/write nfc. system properties.

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501

(cherry picked from commit 2de02877)

Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97

* commit '62083414':
  allow apps to read the contents of mounted OBBs

Apps should be able to read the contents of mounted OBBs.

Steps to reproduce:

  1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
  2) Attempt to run the app.

Expected:
  App runs successfully.

Actual:
  App crashes. See denials below.

This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3

Addresses the following denials:

  avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
  avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0

Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa

Bug: 17471434

(cherry picked from commit 7f4a8a72)

Change-Id: I7d70fd4d8b8ecdd42024345d74fa36233fb76fb5

During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:

  adb shell cat /factory/ssn
  adb shell cat /factory/bt/bd_addr.conf
  adb shell cat /factory/wifi/mac.txt
  adb shell cat /factory/60isn

read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.

No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.

Bug: 17600278

(cherry picked from commit 200a9f0e)

Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7

Added read permissions for bootanimation

Bug: 16635599
Change-Id: Ib5d0ba5a6d1144ff831f4f0eda092879f853c376

Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.

Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.

Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.

No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.

Bug: 17525863

(cherry picked from commit 642b8042)

Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64

Bug: 16563899
Bug: 14251916

(cherry picked from commit 704741a5)

Change-Id: I4ba64e2d28f789498852ecfd34aa767d5861d86e

Bug: 16635599

Change-Id: I69f9089dde1fe68762a38f4d97ddee2c20aaaa9d