Bug: 32123421
Bug: 32905206

Test: compiles, nfc works
Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d

Merge "Allow binder IPC between ephemeral app and appdomain" am: 0046853f am: 377e50d7 am: 393b96e3
am: 8bc6e51d

Change-Id: Iae7161bf31afd0b12aceb6b7a20427edf9568da0

am: 3b7df33e

Change-Id: Ifdae9d93e1926c330120440dcebefce5b0829243

am: 393b96e3

Change-Id: Ib556294ff0b0a64db1088c5e790a3eec6dd4f58a

am: 377e50d7

Change-Id: I405de2d676bf01053bf1e36049edd348675d183a

am: 0046853f

Change-Id: Ib21c9b4dad410270ef280786a7eca0db21069e88

am: 1b0ec79f

Change-Id: Ib4d85189639a4ef7228f9b8dd639b6a2eb59ea39

am: 18f61a0f

Change-Id: I05a0657ab76f1143f0fd808de7948bfc2e7b21f8

am: bb9a3888

Change-Id: I6f9175baa166d7f8b887b12fbc6266e602f24173

system/core commit 331cf2fb7c16b5b25064f8d2f00284105a9b413f created a
number of new properties of the form:

  [ro.boottime.init]: [5294587604]
  [ro.boottime.InputEventFind]: [10278767840]
  [ro.boottime.adbd]: [8359267180]
  ...

These properties were assigned the default_prop SELinux label because a
better label did not exist. Properties labeled with the default_prop
label are readable to any SELinux domain, which is overly broad.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:default_prop:s0

Instead, create a new label for the ro.boottime.* properties so we can
apply more fine grain read access control to these properties.

  bullhead:/ $ getprop -Z ro.boottime.adbd
  u:object_r:boottime_prop:s0

New SELinux property labels have minimal permissions by default. As a
result, after this change, ro.boottime.* properties will only be
readable to system_server, bootstat, init (because it manages the property
space), and "adb root" (because no SELinux permissions are enforced there).

Additional read access can be granted as-needed.

This is part of a larger effort to implement fine-grain access control
on the properties managed by init.

Test: Device boots and no SELinux denials on boot.
Change-Id: Ibf981cb81898f4356fdc5c1b6f15dd93c0d6d84d

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

(cherry picked from commit d310df20)

Test: policy compiles
Bug: 33620117
Change-Id: I61d18c126bca722002f41a5cc4728318878f46c6

Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702

Revert "Merge "Do not allow new additions to core_property_type" am: d57dd813 am: f13dcbb4 am: 5bfa8509 am: 47e2f081"

This reverts commit 635d206b.

Change-Id: I1f937794162b563a24bbc4f4c83a24be93812a54

Merge "Do not allow new additions to core_property_type" am: d57dd813 am: f13dcbb4 am: 5bfa8509
am: 47e2f081

Change-Id: I24705f584bc462f45c4400eab18decdbfa66dfda

am: 5bfa8509

Change-Id: Idb6a5e42bff4bab0781db7bad1a497e9b2c169e5

am: f13dcbb4

Change-Id: Ife8946bdd99b4121b6ad80a21c345d9ee0af1777

am: d57dd813

Change-Id: I5e911f7d301ba8421184b80f485e043178f225fb

am: 5b6e4ecc

Change-Id: Id5d2e572270c4831971800741f3b1f094d0d3b7d

am: 2d5426ae

Change-Id: Iae51b513b88597b8837c869e93c67a58f52db2b1

am: 37f17c5b

Change-Id: I9f2147b904b48cfc6f6f898056e8ae3acd6d7aea

am: 16c889c5

Change-Id: Icfa43cb11246de34f6f8f3c96726bec67680c5ff

core_property_type is an attribute which was given to all existing
properties known to core SELinux policy. Any property with this label is
readable to all SELinux domains, which is overly broad. The long term
goal is to remove the core_property_type attribute entirely.

Add a neverallow rule prohibiting the introduction of new properties
with the core_property_type attribute. Device specific properties, or
new properties in core SELinux policy, should not have this attribute.

Test: policy compiles
Change-Id: Ie89a9f0d81c8561616001ff8451496ce2278dbb2

am: c540824b

Change-Id: If5773b4f194e7c84288ff1d46f9774c2826b9c78

am: 5f50fd90

Change-Id: I643d05381fd866f43717dc37b55ad5beb589a2bc

am: 7724c229

Change-Id: I6e4ad94ec694f96c4685f33be090ce479a87b0fd

There is no reason for vold to have this permission, and a proper
auditallow rule has been used and monitored to ensure that nothing on
android uses this permission.

Bug: 26901147

Test: Phone boots
Change-Id: Id36ed2722348f433fe3d046a3429066338230fec

am: 19a74f4e

Change-Id: I2759b341244730b1a989eeb1ea5beff2dc33044c

am: a95c52e3

Change-Id: Ibf4f702d4b7d1f86baa7550b8b76bb3b30aa81ca

am: c00252cd

Change-Id: I8d9e6337a1ec2a961a2694ad45ebde0c8b828123

Test: logging confirms service runs on boot
Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce
Signed-off-by: Connor O'Brien <connoro@google.com>

am: c94b1491

Change-Id: I4b127cc0ba7190d1d036c8e9f6cfefbc3ab8afc4

am: 1282df7c

Change-Id: I6f2fd95e1eeae204eed2c81a9b73bfe59ebe1cb7

Simulate platform and non-platform split by sending the split files to the
device to be compiled by init.

Bug: 31363362
Test: Policy builds on-device and boots.  sediff shows no difference.
Change-Id: I9627d1c66ca37786d97a049666278a4992ad7579

am: cf308055

Change-Id: I6e0092d575817efae9f64c4f89de519fa4315dc4

am: 2bb33d81

Change-Id: I418745d1eb9f855a727dab2873a7aa2e52b7e3dd

am: a018b183

Change-Id: I34dfe5ee2a0e320276b69bc2ac407c46954e6237

am: 52da39d9

Change-Id: I7ebc5532d1047726472d9078ceba0fd755130593