am: eb6196b1

Change-Id: I4ff39ba20966778c4084a91a0454dbc346b08b8c

am: 2d6dc8b5

Change-Id: Id1d56498a1221655543916632c376113da918e14

am: 7a069af2

Change-Id: Ic5ba2abe3d5d2aa531ad5aebd64bc564eb707c78

am: 60eff1f2

Change-Id: I903b56cbf25dcc5e8da3508874afce151571d976

am: 431bdd9f

Change-Id: Ifb8085ca9b3107acc4c1b658c01b321770c82a96

am: 8a003607

Change-Id: Ifdce40a385442a85f69d7e477c95ab540457f54b

am: 60bfd5d6

Change-Id: I9451ce42cc1c0dc1f351f48261a80d7c89034e30

am: 59b687a2

Change-Id: I6191f42a361b9915a73ad07f5eb2ab78f542bdfa

am: c4bc8992

Change-Id: I3b18e5ac428349baf2ee5b3cc305fd378c08adca

am: 9805f2cd

Change-Id: I09e3c0050b3beaf40df89e153cc2506b8f0b8072

am: 0db7aae1

Change-Id: I191e6bc530fc735167c8d364c552bd2e6e099f9d

am: d7ebbf1d

Change-Id: I3f1ec16d480ad653242127f8d2680c4b05461f9f

am: 5470aefb

Change-Id: I9d0adb605c5b38990f77ac21acb16ecc547fe433

am: d765766b

Change-Id: I94a6e3b6082f9e153a7272c6d75f36f78a8a314c

am: d04a2dd0

Change-Id: I911532b7f4b82379005b3f78165ddc1bd4546b21

am: d583a833

Change-Id: I40a8da8b67dc54552cae42529c9b51cb25da6290

Add a definition for the extended_socket_class policy capability used
to enable the use of separate socket security classes for all network
address families rather than the generic socket class.  The capability
also enables the use of separate security classes for ICMP and SCTP
sockets, which were previously mapped to rawip_socket class.  Add
definitions for the new socket classes and access vectors enabled by
this capability.  Add the new socket classes to the socket_class_set
macro, and exclude them from webview_zygote domain as with other socket
classes.

Allowing access by specific domains to the new socket security
classes is left to future commits.  Domains previously allowed
permissions to the 'socket' class will require permission to the
more specific socket class when running on kernels with this support.

The kernel support will be included upstream in Linux 4.11.  The
relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families"),
ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6
consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f
("selinux: drop unused socket security classes").

This change requires selinux userspace commit
d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define
extended_socket_class policy capability") in order to build the
policy with this capability enabled.  This commit is already in
AOSP master.

Test: policy builds

Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f
(selinux: distinguish non-init user namespace capability checks)
introduced support for distinguishing capability
checks against a target associated with the init user namespace
versus capability checks against a target associated with a non-init
user namespace by defining and using separate security classes for the
latter.  This support is needed on Linux to support e.g. Chrome usage of
user namespaces for the Chrome sandbox without needing to allow Chrome to
also exercise capabilities on targets in the init user namespace.

Define the new security classes and access vectors for the Android policy.
Refactor the original capability and capability2 access vector definitions
as common declarations to allow reuse by the new cap_userns and cap2_userns
classes.

This change does not allow use of the new classes by any domain; that
is deferred to future changes as needed if/when Android enables user
namespaces and the Android version of Chrome starts using them.

The kernel support went upstream in Linux 4.7.

Based on the corresponding refpolicy patch by Chris PeBenito, but
reworked for the Android policy.

Test: policy builds

Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

am: 943d7ed5

Change-Id: I4b3e10c0001e61c9ca93f3834342131b1a834a2a

am: 4d140237

Change-Id: I70b3840694763c4eb14a46a931173a343b31926d

am: 3d1e5959

Change-Id: Iea59fcc55ea2813d71141558e3f86fbfdc22d034

am: 812213ae

Change-Id: I38671a9200d7b76dc7b748848f8134df6e2ef267

am: 829c8e0a

Change-Id: I9ded883761ec9d6fbbcfead877788edbbcb41521

am: 95804f17

Change-Id: I744c77d2e32dd2d84a64197fb2bf5c41cffa6a61

* changes:
  crash_dump: dontaudit CAP_SYS_PTRACE denial.
  crash_dump: don't allow CAP_SYS_PTRACE or CAP_KILL.

am: 46e5a060

Change-Id: Id2ccc41a74a8465e6fc33429c13ca22253a53f12

am: 4c40d734

Change-Id: I680e736766d371f6ac631cae26d11d85dc896e8f

The neverallows in untrusted_app will all apply equally to ephemeral app
and any other untrusted app domains we may add, so this moves them to a
dedicated separate file.

This also removes the duplicate rules from isolated_app.te and ensures
that all the untrusted_app neverallows also apply to isolated_app.

Test: builds
Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28

Bug: 34781862
Test: none
Change-Id: Ie628dca592a68ed67a68dda2f3d3e0516e995c80

am: 4aa99076

Change-Id: Ic0fc7bf2a6508bc2db0ee9bf4cee02c57c0f2636

am: 0979abc0

Change-Id: I191354b6b80d23fd7fd5ac8e1bff77552278bb95

am: a38067c7

Change-Id: Ia91ea8fec8f28cdb661a55e64ae1d50b03e17363

am: f9cc18f6

Change-Id: I8bd6edb0093eab232f07b3c9a1cec12a5db005cc

am: 3439a0c9

Change-Id: I9cd32577cf38575e00dfdc1f0dbe5868cd445b0f

am: 254ce3fb

Change-Id: I5108f9113b5511fcda6331b5af860efcc7f8baba

Test: Device boots
Change-Id: I2fb0a03c9ed84710dc2db7b170c572a2eae45412