Test: No change to SELinux policy
Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18

As of https://android-review.googlesource.com/324092, ephemeral_app is
now an appdomain, so places where both appdomain and ephemeral_app are
granted the same set of rules can be deleted.

Test: policy compiles.
Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415

This fixes the following issues introduced in commit
d225b697:
* plat_file_contexts was empty because the target was referencing
  system/sepolicy/private/file_contexts via a misspelled variable
  name.
* plat_file_contexts wasn't marked as dirty and thus wasn't rebuilt
  when system/sepolicy/private/file_contexts changed. This is because
  the file_contexts dependency was referenced via a misspelled
  variable name.
* plat_file_contexts wasn't sorted (as opposed to other similar
  targets, such as nonplat_file_contexts and file_contexts.bin). This
  may lead to unnecessary non-determinism.
* nonplat_file_contexts wasn't marked dirty and thus wasn't rebuilt
  when device-specific file_contexts file(s) changed. This is because
  the file_contexts files were referenced via a misspelled variable
  name.

Test: "make plat_file_contexts" produces a non-empty file containing
      mappings from system/sepolicy/private/file_contexts
Test: "make plat_file_contexts" updates output when
      system/sepolicy/private/file_contexts changes
Test: "make plat_file_contexts" produces output which is sorted
      accroding to rules in fc_sort
Test: "make nonplat_file_contexts" updates output when
      device/lge/bullhead/sepolicy/file_contexts changes (tested on
      aosp_bullhead-eng)
Bug: 31363362
Change-Id: I540555651103f02c96cf958bb93618f600e47a75

wificond is a system_server service used by wifi, wifi doesnt start now

This reverts commit b68a0149.

Change-Id: If958c852e5d8adf8e8d82346554d2d6b3e8306c9

/sys/class/leds is the standard location for linux files dealing with
leds, however the exact contents of this directory is non-standard
(hence the need for a hal).

Bug: 32022100
Test: compiles and works for the subset of common files
Change-Id: I7571d7267d5ed531c4cf95599d5f2acc22287ef4

wificond_service is not a system_server service, so drop the
typeattribute.

Test: compile
Change-Id: Ic212dd2c8bc897fbdc13ca33a9864ac8d4e68732
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This fixes a bug introduced in the HIDL port where fingerprint no
longer notifies keystore of authentications.

Test: keyguard, FingerprintDialog

Fixes bug 34200870

Change-Id: I8b1aef9469ff4f4218573a6cde4c3a151512c226

Ephemeral apps cannot open files from external storage, but can be given
access to files via the file picker.

Test: ACTION_OPEN_DOCUMENTS from an ephemeral app returns a readable fd.
Change-Id: Ie21b64a9633eff258be254b9cd86f282db1509e8

Ephemeral apps are still apps with very similar capabilities, it makes
more sense to have them under appdomain and benefit from the shared
state (and all the neverallow rules) than to try and dupplicate them and
keep them in sync.

This is an initial move, there are parts of ephemeral_app that still
need to be locked down further and some parts of appdomain that should
be pushed down into the various app domains.

Test: Builds, ephemeral apps work without denials.
Change-Id: I1526b2c2aa783a91fbf6543ac7f6d0d9906d70af

Bug: http://b/30705528
Bug: http://b/34450704
Test: mma
Change-Id: I315a52411232b6ff38d014a2e0fadb0bcfbc1f3f

Test: policy compiles.
Bug: http://b/34450704
Change-Id: I1381f9de8e4c8cdde4920be423ab32adc2f7a8a2

After checking the auditallow logs for the rule being monitored, it's
clear that the rule is not in use and can be removed. All unused rules
should be removed, as they present needless additional attack vectors.

Test: The device boots.
Change-Id: Ie9e060c4d134212e01309a536ac052851e408320

There were some auditallow rules left around in rild.te that had logs
showing nothing was triggering them. Thus the rules they were auditing
could be removed, as that's clear indication there's no use for them.
Having rules around that aren't being used does nothing except increase
attack surface and bloat sepolicy, and so should always be removed if
possible.

Test: The device boots
Change-Id: I906ffc493807fbae90593548d478643cda4864eb

Revise policy, to allow init and system_server to configure,
clear, and read kernel trace events. This will enable us to
debug certain WiFi failures.

Note that system_server is restricted to only accessing
a wifi-specific trace instance. (Hence, system_server is
not allowed to interfere with atrace.) Moreover, even for
the wifi trace instance, system_server is granted limited
permissions. (system_server can not, e.g., change which
events are traced.)

Note also that init and system_server are only granted these
powers on userdebug or eng builds.

The init.te and system_server.te changes resolve the
following denials:

// Denials when wifi-events.rc configures tracing
{ write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1

// Denials when system_server sets up fail-safe
// (auto-terminate tracing if system_server dies)
{ search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

// Denials when system_server toggles tracing on or off
// (WifiStateMachine is a thread in system_server)
{ search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

// Denials when system_server reads the event trace
// (This happens in response to a dumpsys request)
{ search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1
{ read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1
{ write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1

Bug: 27254565
Test: manual
Manual test:
- Build this CL along with CL:322337
- Verify that system boots, and that we can connect to GoogleGuest.
  (Testing of actual trace functionality with require some more
  patches in frameworks/opt/net/wifi.)
$ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs'

Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d

Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.

Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed

- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a

New procfs file read by storaged to dump fg/bg IO usage.

Remove kmsg rule since it's no longer used by storaged.

Allow storaged to find permission_service to translate UID
to package name.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd

Some recent CLs changed the list of files that are installed in the
root directory.  Incremental builds have no way to uninstall files
that were previously installed, which results in old stray files lying
around.  If the root directory is contained in system.img, this causes
an error while building system.img:
error: build_directory_structure: cannot lookup security context for /service_contexts

Update CleanSpec.mk to remove files obsoleted by:
Ide67d37d85273c60b9e387e72fbeb87be6da306a
I7881af8922834dc69b37dae3b06d921e05206564
Ide67d37d85273c60b9e387e72fbeb87be6da306a

This is not seen on the incremental build servers because they run
make installclean between builds.

Test: incremental build passes
Change-Id: I22ecd1d3698404df352263fa99b56cb65247a23b

All hals need to use hwbinder.

Test: no additional denials
Bug: 34180936
Change-Id: Ie92cdbd79fc75062c4afa4cda53cb57ccde7e370

This reverts commit 262edc38.

Fixes: 34370523
Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d

Previously we published appfuse mount points to apps and apps open
appfuse file by themselves. We changed the design and we don't allow
apps to access appfuse mount point. Instead system server opens a file
on appfuse mount points and passes FD to apps.

The change updates apps and system server policies to adopt new design.

Bug: 29970149
Test: None
Change-Id: I0b35fee9816f61565705eecb88a472754ccffdca

New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.

avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048

Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>

This improves readability and consistency for HAL implementation
domains which have only one implementation.

Test: No change to policy according to sesearch
Test: No change to which types are associated with haldomain according to "sepolicy-analyze <sepolicy file> attribute haldomain"
Bug: 34180936
Change-Id: Ice599ea4971cdfbd8b835b1fd02ad1e14c7a0386