This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.

(Originally submitted in commit: 8c60f74d)

Bug: 38242876
Test: Builds and boots.

Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502

Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).

(Originally commited in a015186f)
Bug: 36574794
Bug: 62101480
Test: Builds and boots.
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9

am: 06a22e41

Change-Id: Ib3549463537470e9af49cc4b1e6b2a526c2a9c76

am: 63ad602c

Change-Id: I50e8082649aa2cf166d4c6a79766a8a39b78f722

am: b9ebea01

Change-Id: I097cae9539f9e1792f946875efad60c36c3371ef

am: f962aa62

Change-Id: I6a172ae3246e2a5860181a603e6341e0855e4ecf

am: ad01d1f6

Change-Id: Ia8a0f7b4378f6e66a148dcbd4d55fcb8f66f4176

am: 021b5e93

Change-Id: Ia9a2a2313f34a826a02d1eeff568f3afc565714c

am: 52909aca

Change-Id: I613dc32aac4b3276924717e8066fd2cd229b81ec

am: a77096b0

Change-Id: I2719cfbcf0e6ce58c4953602e2113bd6fe1ce0cd

am: e3c7880e

Change-Id: I12b1554b203ae27596415b5466d159100c5e5611

am: a128aca6

Change-Id: I5432110e7e009c29b27dee40c543203c1b17059a

am: 2be9799b

Change-Id: If42bc0d3fc50db8294c8a9fd083d915b8e47a95e

am: e02e0ad1

Change-Id: I67eea67d667005d5ac357e1131a319ed57b33894

am: c75aa50d

Change-Id: I91bbecf1b60944fb43022dcc5f5ffe452b713193

am: c75aa50d

Change-Id: I39eecd67a97de193d53ab298a1ef3e8443bb9391

Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class.  As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11.  Define this security class and its access vector, add
it to the socket_class_set macro, and exclude it from webview_zygote
like other socket classes.

Test:  Policy builds

Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Due to the massively increased number of attributes in SELinux policy
as part of the treble changes, we have had to remove attributes from
policy for performance reasons.  Unfortunately, some attributes are
required to be in policy to ensure that our neverallow rules are being
properly enforced.  Usually this is not a problem, since neverallow rules
indicate that an attribute should be kept, but this is not currently the
case when the attribute is part of a negation in a group.

This is particularly problematic with treble since some attributes may
exist for HALs that have no implementation, and thus no types.  In
particular, this has caused an issue with the neverallows added in our
macros.  Add an extraneous neverallow rule to each of those auto-generated
neverallow rules to make sure that they are not removed from policy, until
the policy compiler is fixed to avoid this.  Also add corresponding rules
for other types which have been removed due to no corresponding rules.

Bug: 62658302
Bug: 62999603
Test: Build Marlin policy.
Test: verify attribute exists in policy using sepolicy-analyze.
    sepolicy-analyze $OUT/vendor/etc/selinux/precompiled_sepolicy \
    attribute hal_tetheroffload_server
Test: CTS neverallow tests pass.
    cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest
Change-Id: I62596ba8198ffdcbb4315df639a834e4becaf249

When adopting SD cards, vold partitions and formats those devices;
this had been working fine with the older make_ext4fs utility, but
newer devices are switching over to mke2fs, which has a different
SELinux label.

avc: denied { execute } for name="mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1
avc: denied { getattr } for path="/system/bin/mke2fs" dev="dm-0" ino=456 scontext=u:r:vold:s0 tcontext=u:object_r:e2fs_exec:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Bug: 36757864, 37436961
Change-Id: Ifb96dfca076ea58650eb32f89e850f20ae2ac102

am: 0d8b9830

Change-Id: I55cbe59bf1be98555ea2a13e42c949477761e1da

am: 25578a30

Change-Id: I1d49bdbd662e4037843a2c6af4954a4a926c8543

avc:  denied  { find } for
interface=android.hardware.configstore::ISurfaceFlingerConfigs
scontext=u:r:system_server:s0
tcontext=u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
tclass=hwservice_manager permissive=0

Bug: 35197529
Test: Device boots without this denial
Change-Id: Ia43bc5879e03a1f2056e373b17cc6533636f98b1

Bug: b/36863239
Test: instrumentalization
Change-Id: I782693dcda13bd38b45626a65c8eeae552368030

am: 3f7f66b0

Change-Id: I3fc0cac7fdeab40bfa61f465a6d01d1d8c0c8d01

Bug: 37896931
Test: none, just prebuilt update.
Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d

am: 4e65fed1

Change-Id: I9fd1ef32fde011d00e96555501f7665baf99fc26

am: f26d79c5

Change-Id: I0c1a79082955faeebe8cf70bb408928479117aad

am: b9bba83a

Change-Id: I2fb029b770d53bacbe8dd11a69cee5e70b6ef2e9

A previous commit reverted us back to using file_contexts
instead of genfs_contexts but did not remove the new
genfs_contexts rules, which caused this problem.

Bug: 62901680
Test: Verified that the errors do not apepar and that wifi
and traceur work.

Change-Id: Ic0078dc3a2a9d3d35a10599239fdf9fa478f1e2b

Merge "Add sepolicy for hal_wifi to access /proc/modules" am: 6acd70b9 am: ded0b58d am: 9d86e622
am: b9621bba

Change-Id: I001be0f05e59e55dcedb159ec86a5bf386fa89c7

am: 9d86e622

Change-Id: Ib83f52f4dae096d42dedf17898cf20d8c3923f2e