Add a new set of sepolicy for the process that only netd use to load
and run ebpf programs. It is the only process that can load eBPF
programs into the kernel and is only used to do that. Add some
neverallow rules regarding which processes have access to bpf objects.

Test: program successfully loaded and pinned at sys/fs/bpf after device
boot. No selinux violation for bpfloader
Bug: 30950746

Change-Id: Ia6bb1afda29ae0749bdc368e2dfc5faa12e81b2f

Bug: 62041836
Test: sailfish sepolicy builds

Change-Id: Iad865fea852ab134dd848688e8870bc71f99788d

Test: adb bugreport
Bug: 71483452
Change-Id: Ibd98702c1f757f17ada61a906ae4e0ec750aac79

There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.

07-04 23:48:53.646   503   503 I auditd  : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100   582   582 I auditd  : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0

Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5

Bug: 68388678
Test: storaged-unit-tests
Change-Id: Iea1ba0131a389dc4396ff3ebe2cdf68dbd688c8a

Duplicate property names are supported now for prefix and exact
matching.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: Ifd9d32eaece7370d69f121e88d5541f7a2e34458

The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)

Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6

We use this attribute to annotate coredomains that execute vendor code
in a Treble-violating way.

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c

This gives the privilege to system apps, platform apps,
ephemeral apps, and privileged apps to receive a
UDP socket from the system server. This is being added
for supporting UDP Encapsulation sockets for IPsec, which
must be provided by the system.

This is an analogous change to a previous change that
permitted these sockets for untrusted_apps:
0f75a62e

Bug: 70389346
Test: IpSecManagerTest, System app verified with SL4A
Change-Id: Iec07e97012e0eab92a95fae9818f80f183325c31

Give rights to call dropbox via binder.

Test: m
Test: manual
Change-Id: I968c432a27bc8fbe677a2dd03671908d555f9df6

This patch adds a flag that can be used to ignore neverallow rules.
By adding
SELINUX_IGNORE_NEVERALLOWS := true
into the BoardConfig.mk file, neverallow violations will be ignored
silently.  This flag can only be enabled on userdebug and eng builds.

Users of this flag should be very careful.  Since it does not work on
user builds, it must be disabled to pass CTS, and enabling it for
too long could hide issues that need to be addressed.

As a happy side effect, this patch should also improve the error
messages when violating a neverallow rules.  Specifically, the file
and line number should be correct.

Bug: 70950899
Bug: 33960443
Test: Built walleye-{user,eng} with and without this new option and
a neverallow violation.  Built policy for all targets.

Change-Id: Id0d65123cdd230d6b90faa6bb460d544054bb906

Label /vendor/etc/selinux/* as vendor_configs_file.

Bug: 62041836
Test: build system/sepolicy
Test: walleye boots
Change-Id: I617a3287860e965c282e9e82b4375ea68dbca785

Bug: 71861796
Test: no more denials on walleye for shell init scripts
Change-Id: I51eab267c95a915f927b0aaa7db9d678a83093c7

Bug: 38206971
Test: test on phone
Change-Id: Id34ab2673c7a16744fba77eb5c176e2e8b474299
Merged-In: Id34ab2673c7a16744fba77eb5c176e2e8b474299

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

* changes:
  vold_prepare_subdirs: grant chown
  statsd: annotate boot denials

Test: none
Change-Id: I42f2c2a09235d907b020c4924b91a3428f6c9d8e

Addresses:
avc: denied { chown } for comm="vold_prepare_su" capability=0
scontext=u:r:vold_prepare_subdirs:s0
tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability

Bug: 71796118
Test: build
Change-Id: I64b2f1ad8d6e0748c5820b8a37a4fc4f4101d1fb

Point logspam to its owner.

Bug: 71537285
Test: build
Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

and pulling metrics

Bug: 63757906
Test: manual testing conducted
Change-Id: Ieba524ee676dfb4a457d39d025d203bf02a70831

Perfetto is a performance instrumentation and logging framework,
living in AOSP's /external/pefetto.
Perfetto introduces in the system one binary and two daemons
(the binary can specialize in either depending on the cmdline).

1) traced: unprivileged daemon. This is architecturally similar to logd.
   It exposes two UNIX sockets:
   - /dev/socket/traced_producer : world-accessible, allows to stream
     tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS
     from traced to each client process, which needs to be able to
     mmap it R/W (but not X)
   - /dev/socket/traced_consumer : privilege-accessible (only from:
     shell, statsd). It allows to configure tracing and read the trace
     buffer.
2) traced_probes: privileged daemon. This needs to:
   - access tracingfs (/d/tracing) to turn tracing on and off.
   - exec atrace
   - connect to traced_producer to stream data to traced.

init.rc file:
https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc

Bug: 70942310
Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405

communicate with statsd

Test: manual testing conducted
Change-Id: Icd268e258f7cbdd9310baab53fe0c66f4f303d5e