Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

Exclude vendor processes.

Bug: 69309298
Test: cts-tradefed run cts -m CtsCompilationTestCases
    completed in 33s. 5 passed, 0 failed
Test: runtest frameworks-services -c \
    com.android.server.pm.dex.DexoptOptionsTests \
    --install=".*FrameworksServicesTests.apk"
    OK (5 tests)

Change-Id: Ic02caf373e2214b4b931a724ca8d4f4effbc0741

Added access to proc_uptime and proc_asound to address these denials:

avc: denied { read } for name="uptime" dev="proc" ino=4026532080
scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file
permissive=1

avc: denied { getattr } for path="/proc/asound/version" dev="proc"
ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0
tclass=file permissive=1

Bug: 65643247
Test: device boots with no denial from 'shell' domain.
Test: lsmod, ps, top, netstat
Test: No denials triggered from CtsSecurityHostTestCases
Test: external/toybox/run-tests-on-android.sh does not pass, but triggers
no denials from 'shell' domain to 'proc' type.

Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153

Bug: 65643247
Test: cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice
No denials from mediaserver domain to sysfs type are observed.
Change-Id: Icb5c12f04af213452d82e226993fe13085c5c33f

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

This reverts commit 248b6dc6.

Reason for revert: The dashboard complains that devices don't boot after this revert.

Change-Id: I6a4648b64b096cbaa97c67aae6bc38b76d54cb48

This reverts commit d1cf3a40.

Reason for revert: It breaks CTS b/69309298 and other platform tests which read pm.dexopt properties.

Change-Id: I5c7cde041113e9c19bb23218edd99f699fcf4a06

After move qtaguid control interface into netd. Netd need to open the
xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is
successfully initialized before taking action. This selinux rule change
allows netd to do so and it is the same privilege normal apps currently
have.

Test: No more selinux denials on netd access qtaguid_device
Bug: 30950746
Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518

Fixes these denials:
avc:  denied  { read } for  pid=585 comm="charger" name="state"
dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=585 comm="charger"
path="/sys/power/state" dev="sysfs" ino=18844 scontext=u:r:charger:s0
tcontext=u:object_r:sysfs_power:s0 tclass=file permissive=1

Test: above denials not observed in charger mode.
Change-Id: I5660e63315fada7f24d6cfe2e0bd2b383b556670

There's a selinux denial for update_engine after go/aog/530462; the
denial is likely due to the setgid bit of the
update_engine_log_data_file.
Message:
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:4): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0
11-11 02:07:54.843   870   870 I auditd  : type=1400 audit(0.0:5): avc:
denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

Bug: 69197466
Test: denial message gone on sailfish.
Change-Id: I0fdc285e4a4faa8dc37b4907484b3c79d4cc49cf

HALs are supposed to only access /data/vendor/*

Test: Camera CTS/ITS on walleye
Bug: 36601397
Change-Id: I8f586938127b5a9acaace4d5b8c3fc42ab13e0cf
(cherry picked from commit d7241d62)

Since all qtaguid related userspace implementation are moved into netd
and will use netd to choose which module to run at run time. Netd module
should be the only process can directly read/write to the ctrl file of
qtaguid located at /proc/net/xt_qtaguid/ctrl. This sepolicy change grant
netd the privilege to access qtaguid proc files. It also grant netd the
permission to control trigger to turn on and off qtaguid module by write
parameters to files under sys_fs. The file and directory related is
properly labled.

Bug: 68774956
Bug: 30950746
Test: qtaguid function still working after the native function is
redirected.

Change-Id: Ia6db6f16ecbf8c58f631c79c9b4893ecf2cc607b

Add label update_engine_log_data_file for log files created by
update engine in directory /data/misc/update_engine_log.

Bug: 65568605
Test: manual
Change-Id: I379db82a0ea540e41cb3b8e03f93d9ce64fac7c9

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2

Bug: 68949041
Test: device builds, boots, no denials from init.

Change-Id: Iedefac8d70512fd614ca06117f42a7887f6ab649

1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c

/sys/power/state is labled as sysfs_power now. Allow charger to
write to it instead of writing to sysfs.

Test: no denials for charger on this file
Change-Id: Idf8c2656fa1094a69a627c1a705a83893bf3afb3

Test: system server does not crash with this change
Bug: 67415855
Bug: 63920015
Change-Id: I3d0982220743137098dbc683d5c4aded105648c2

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd

domain based tmpfs file access has getattr, read and write.

However newer kernels support map. Add this map permission so they
can use mmap based access.

Test: build test.

Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This will be used to enforce data separation between platform and
vendor.

Test: build
Bug: 34980020
Change-Id: Ia312f00068d3982c7aae7e35bd0c96a6eb9ea3be

Default health service needs following permissions to work:
- read /sys/class/power_supply
- uevent
- wakelock

Bug: 63702641
Test: no denials for health service

Change-Id: I2f3aed3ef3b5ac024da17d9d5400d9834038df9f

avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0
avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0

Bug: 68040531
Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c

The permission was removed in
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/
but is still needed in order to optimize application code.

Denial example:

10-26 16:29:51.234   894  1469 D PackageManager.DexOptimizer: Running
dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar
pkg=com.google.android.gms isa=[arm64]
dexoptFlags=boot_complete,public,secondary,force,storage_ce
target-filter=quicken

10-26 16:29:51.253  2148  2148 W Binder:695_5: type=1400 audit(0.0:39):
avc: denied { read } for name="0" dev="sda35" ino=917506
scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file permissive=0

Test: adb shell cmd package reconcile-secondary-dex-files
com.google.android.googlequicksearchbox
adb shell cmd package compile -m speed --secondary-dex
com.google.android.gms

Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56

Bug: 65643247
Test: adb sideload an ota package
Test: mount /system
Test: view recovery logs
Test: run graphics test
Test: run locale test
Test: wipe data/factory reset
Test: factory reset from Settings app
Tested on sailfish; no selinux denials to sysfs type are observed.

Change-Id: Ic8487d53d90b7d1d050574e0b084627d1b6abdba

Addresses these denials when wiping data on sailfish:

avc:  denied  { open } for  pid=488 comm="mke2fs_static"
path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0
tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=488 comm="mke2fs_static"
name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=488 comm="mke2fs_static"
name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1

Test: Wipe data/factory reset -> no selinux denials
Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc

AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

10-23 16:40:43.763  7991  7991 I auditd  : type=1400 audit(0.0:79): avc: denied { open } for comm="vold_prepare_su" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 67901036
Test: Boot device, create user, create files, remove user, observe logs

Change-Id: I8d33dfd2a0b24611773001f20101db40aeb13632

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

Addresses this denial during CtsBionicTestCases:
avc: denied { getattr } for path="/proc/version" dev="proc"
ino=4026532359 scontext=u:r:shell:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 68067856
Test: cts-tradefed run commandAndExit cts -m CtsBionicTestCases
--skip-all-system-status-check --primary-abi-only --skip-preconditions
No more denials to /proc/version
Change-Id: I7e927fbaf1a8ce3637e09452cbd50f475176838e

This is no longer used and violates Treble data separation.

Bug: 68057930
Test: verify on Sailfish that /data/misc/audiohal doesn't exist
    This dir appears to be Qualcomm specific and should not have
    been defined in core policy.

Change-Id: I55fba7564203a7f8a1d8612abd36ec1f89dc869d

Bug: 25861755
Test: Boot device, create user, create files, remove user, observe logs
Change-Id: I195514eb45a99c1093998786ab385338463269c0
Merged-In: I195514eb45a99c1093998786ab385338463269c0
(cherry picked from commit eb7340d9)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

lsmod needs access to /proc/modules

Test: build, run lsmod
Change-Id: Icb6ea6ce791cc6a22c89aa8e90c44749497c8468

Dumpstate lists all services and then enumerates over them. Suppress
"find" denials for services which dumpstate is neverallowed access
to.

Dumpstate includes the kernel command line in bug reports. Grant access
to /proc/cmdline.

Test: build. Run adb bugreport.
Change-Id: I89b546c728a034638f9257c6cf93366d99a10762

The use of SIOCATMARK is not recommended per rfc6093.

This ioctl is not currently allowed on Android. Add a neverallowxperm
statement (compile time assertion + CTS test) to ensure this never
regresses.

Bug: 68014825
Test: policy compiles.
Change-Id: I41272a0cb157ac9aa38c8e67aabb8385403815f9