This allows init to write to it, which it does for atrace.

Bug: 72643420
Test: Boot two devices, observe no denials, test atrace.
Change-Id: I6810e5dcdfaff176bd944317e66d4fe612ccebed

Allows the traced_probes daemon to access the core ftrace
functionalities on user builds. Specifically this involves:
- Whitelisting the per_cpu/ subdirectory to access:
  1) trace_pipe_raw file to allow perfetto to read the raw
     ftrace buffer (rather than the text-based /trace endpoint)
  2) cpuX/stats and cpuX/buffer_size_kb that allow to
     tune the buffer size per-cpu pipe and to get basic
     statistics about the ftrace buffer (#events, overruns)
- Whitelistiing the full event directories rather than the
  /enable files. This gives also access to the /format files
  for the events that are already enabled on user builds.
  /format files simply describe the memory layout
  of the binary logs. Example: https://ghostbin.com/paste/f8m4k

This still does NOT allow enabling the events labeled as
"_debug" (mostly events that return activity on inodes).
We'll deal with that separately as soon as we get a POC
of inode resolution and a sensible blacklist/whitelist model.

Bug: 70942310
Change-Id: Ic15cca0a9d7bc0e45aa48097a94eadef44c333f8

Bug: 72878750
Test: build sepolicy
Change-Id: Ifa6822e042beed0e5971c85155aa526912807c8a

This changes tracefs files to be default-enabled in debug mode, but
default-disabled with specific files enabled in user mode.

Bug: 64762598
Test: Successfully took traces in user mode.

Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15

Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

This reverts commit 640e595a. The
corresponding code in libcutils was removed, so this is now unneeded.

Bug: 71632076
Test: aosp_sailfish still works

Change-Id: I615bab83e9a83bc14439b8ab90c00d3156b0a7c4

Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0

This reverts commit 84f96859.

Fixes: 70874565
Reason for revert: massive logspam during phone calls.

Change-Id: If00e46535f71209eea999e4d5d499bf40a5f16fd

Many processes including third party apps are expected to
access /proc/net/xt_qtaguid/stats. Give this file a new label
to avoid spamming the logs and temporarily grant read access to
all processes.

Read-only permission is adequate for all processes based on unix
permissions.
sailfish:/ # ls -laZ /proc/net/xt_qtaguid/stats
-r--r--r--  1 root net_bw_stats u:object_r:proc_net_xt_qtaguid_stats:s0 stats

Bug: 9496886
Bug: 68016944
Bug: 70722355
Test: Build/flash Sailfish. Browse in Chrome and watch videos in youtube.
    No "denied" or "granted" selinux messages observed in the logs.

Change-Id: I29f1ee806c8149988b9b93a950790d14754927ef

Do not let apps read uid_concurrent_active_time and
uid_concurrent_policy_time.

b/68399339

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I6f09ef608607cb9f4084ba403a1e7254b8c49a06

We already expect contents of /sys/class/net to be labeled as sysfs_net.
Also label the directory for consistensy since we usually label
/sys/class/foo directories as sysfs_foo.

Bug: 65643247
Test: netd_integration_test
Test: can browse internet without denials to sysfs_net
Change-Id: I9d28ab4baf71df99ae966276532f14684d1abca6

Label /sys/kernel/notes.

Bug: 70275668
Test: m
Change-Id: Ieb666425d2db13f85225fb902fe06b0bf2335bef

Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 70040773
Bug: 65643247
Change-Id: I68e2e796f5599c9d281897759c8d8eef9363559a
Test: walleye boots with no denials from init to sysfs.

This reverts commit c2241a8d.

Reason for revert: build breakage b/70040773

Change-Id: I6af098ae20c4771a1070800d02c98e5783999a39

Add write access to:
sysfs_android_usb
sysfs_leds
sysfs_power
sysfs_zram

Add setattr access to:
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_lowmemorykiller
sysfs_power
sysfs_leds
sysfs_ipv4

Bug: 65643247
Test: walleye boots with no denials from init to sysfs.

Change-Id: Ibc9a54a5f43f3d53ab7cbb0fdb9589959b31ebde

/proc/uid/ provides the same per-uid time_in_state data as
/proc/uid_time_in_state, so apply the same type and let system_server
read directories of this type.

Bug: 66953705
Test: system_server can read /proc/uid/*/time_in_state files without
denials on sailfish
Change-Id: Iab7fd018c5296e8c0140be81c14e5bae9e0acb0b
Signed-off-by: Connor O'Brien <connoro@google.com>

And give shell domain read access to /proc/sys/kernel/pic_max.

Bug: 69569397
Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests
--gtest_filter=pthread.pthread_mutex_owner_tid_limit
Change-Id: Ib56c18ed553ad2c2113e6913788a4c00965483cc

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

New types and files labeled with them:
1. proc_abi:
  /proc/sys/abi/swp

2. proc_dirty:
  /proc/sys/vm/dirty_background_ratio
  /proc/sys/vm/dirty_expire_centisecs

3. proc_diskstats:
  /proc/diskstats

4. proc_extra_free_kbytes:
  /proc/sys/vm/extra_free_kbytes

5. proc_hostname:
  /proc/sys/kernel/domainname
  /proc/sys/kernel/hostname

6. proc_hung_task:
  /proc/sys/kernel/hung_task_timeout_secs

7. proc_max_map_count:
  /proc/sys/vm/max_map_count

8. proc_panic:
  /proc/sys/kernel/panic_on_oops

9. proc_sched:
  /proc/sys/kernel/sched_child_runs_first
  /proc/sys/kernel/sched_latency_ns
  /proc/sys/kernel/sched_rt_period_us
  /proc/sys/kernel/sched_rt_runtime_us
  /proc/sys/kernel/sched_tunable_scaling
  /proc/sys/kernel/sched_wakeup_granularity_ns

10. proc_uptime:
  /proc/uptime

Files labeled with already existing types:
1. proc_perf:
  /proc/sys/kernel/perf_event_paranoid

2. proc_sysrq:
  /proc/sys/kernel/sysrq

3. usermodehelper:
  /proc/sys/kernel/core_pipe_limit

Changes to init domain:
1. Removed access to files with 'proc' label.
2. Added access to newly introduced types + proc_kmsg.

Bug: 68949041
Test: walleye boots without denials from u:r:init:s0.
Test: system/core/init/grab-bootchart.sh does not trigger denials from
u:r:init:s0
Change-Id: If1715c3821e277679c320956df33dd273e750ea2

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

This is to simplify access for hal_audio

Test: ls -Z in /proc/asound correctly shows everything with proc_asound
selinux label

Change-Id: I66ed8babf2363bee27a748147eb358d57a4594c4

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e

New types:
sysfs_android_usb
sysfs_ipv4
sysfs_power
sysfs_rtc
sysfs_switch
sysfs_wakeup_reasons

Labeled:
/sys/class/android_usb, /sys/devices/virtual/android_usb ->sysfs_android_usb
/sys/class/rtc -> sysfs_rtc
/sys/class/switch, /sys/devices/virtual/switch -> sysfs_switch
/sys/power/state, /sys/power/wakeup_count -> sysfs_power
/sys/kernel/ipv4 -> sysfs_ipv4
/sys/kernel/wakeup_reasons -> sysfs_wakeup_reasons

Removed access to sysfs and sysfs_type from system_server and added
appropriate access to new types.

Bug: 65643247
Test: sailfish boots without violation from system_server or to new labels.
Change-Id: I27250fd537d76c8226defa138d84fe2a4ce2d5d5

Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
 - update_verifier to read sysfs_dm dir and file at
   /sys/devices/virtual/block/dm-X.
 - vold to write sysfs_dm.

Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
      marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95

Renamed this type:
proc_asound_cards -> proc_asound

Labeled /proc/asound/devices as proc_asound.

We now use proc_asound type to label files under /proc/asound which we
want to expose to system components.

Bug: 66988327
Test: Pixel 2 boots, can play sound with or without headphones, and
selinux denials to proc_asound are not seen.

Change-Id: I453d9bfdd70eb80931ec9e80f17c8fd0629db3d0

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

1. Labeled:
/proc/cmdline -> proc_cmdline

2. Removed access to proc label from vold domain.

3. Added access proc_cmdline to these domains:
init, kernel, vold

4. Also, added proc_drop_caches access to vold.

Bug: 66497047
Test: device boots without selinux denials to new labels
Change-Id: Ic88d11b7e56b07c0e8bd874e7f72788922a218e3

proc files needed by fwk that were labeled:
/proc/filesystems -> proc_filesystems
/proc/mounts -> proc_mounts
/proc/swaps -> proc_mounts

Removed access to proc label from these domains:
e2fs, fsck, fsck_untrusted, sdcardd

e2fs: added access to proc_filesystems, proc_mounts, proc_swaps
fsck: added access to proc_mounts, proc_swaps
fsck_untrusted: added access to proc_mounts
sdcardd: added access to proc_filesystems
vold: added access to proc_filesystems, proc_mounts

Bug: 66199084
Test: device boots without selinux denials to new labels or proc label.
Change-Id: If0f19e22074419dab0b3a0c6f3a300ea8cb94523