This adds the premissions required for
android.hardware.keymaster@2.0-service to access the keymaster TA
as well as for keystore and vold to lookup and use
android.hardware.keymaster@2.0-service.

IT DOES NOT remove the privileges from keystore and vold to access
the keymaster TA directly.

Test: Run keystore CTS tests
Bug: 32020919

(cherry picked from commit 5090d6f3)

Change-Id: Ib02682da26e2dbcabd81bc23169f9bd0e832eb19

This leaves only the existence of webview_zygote domain and its
executable's webview_zygote_exec file label as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: Device boots, with Multiproces WebView developer setting
      enabled, apps with WebView work fine. No new denials.
Bug: 31364497

Change-Id: I179476c43a50863ee3b327fc5155847d992a040d

Bug: 31015010

cherry-pick from b6e4d4bd

Test: checked for selinux denial msgs in the dmesg logs.
Change-Id: I8285ea05162ea0d75459e873e5c2bad2dbc7e5ba

Dumpstate needs the hwbinder_use permission in order to talk to hardware
services.

Bug: 34709307
Test: no denials submitting bugreport
Change-Id: Ic51da5371cd346c0fa9fb3881a47adaf53c93566

The CLs that split the property_contexts at
topic:prop_ctx_split status:merged broke incremental build,
which was later fixed in I22ecd1d3698404df352263fa99b56cb65247a23b.

The prop_ctx CLs were later reverted due to updater breakage as in
b/34370523. So, this change adds the property_contexts clean steps
to fix the incremental builds

Change-Id: Ic32b144dbfada3a6c34f9502099220e7e3c63682
Signed-off-by: Sandeep Patil <sspatil@google.com>

This leaves only the existence of zygote domain and its
executable's zygote_exec file label as public API. All other rules are
implementation details of this domain's policy and are thus now
private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497
Change-Id: Ie37128531be841b89ecd602992d83d77e26533bc

This leaves only the existence of appdomain attribute as public API.
All other rules are implementation details of this attribute's policy
and are thus now private.

Test: Device boot, apps (untrusted_app, system_app, platform_app,
      priv_app) work fine. No new denials.
Bug: 31364497

Change-Id: Ie22e35bad3307bb9918318c3d034f1433d51677f

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce2086.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765

- Added set_prop to shell so that you can set it from shell.
- Added set_prop to sytem_app so that it can be updated in settings.

Bug: 34256441
Test: can update prop from Settings and shell. nfc and lights work with
ag/1833821 with persist.hal.binderization set to on and off. There are
no additional selinux denials.
Change-Id: I883ca489093c1d56b2efa725c58e6e3f3b81c3aa

Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This reverts the moving of rules out of mediadrmserver in commit
c86f42b9.

Test: YouTube videos play back, no mediadrmserver denials
Bug: 34715716
Bug: 32815560
Change-Id: Ib57ef880bcc306c6e01f2c24c0f3a4298598eb9a

Bug:    34559906
Test:	Manual through the test app
Change-Id: Ib69d4fe6b0e21f162f08cea061260c683e4b8c9b

bug:32815560
Change-Id: I494141b47fcd2e7e0cc02aa58d8df9a222060b3f

XAUTH based VPNs
1. IPSec XAUTH PSK
2. IPSec XAUTH RSA
fail with the following error from racoon

  01-24 16:46:05.583 18712 18712 W ip-up-vpn: type=1400 audit(0.0:390):
  avc: denied { ioctl } for path="socket:[954683]" dev="sockfs" ino=954683
  ioctlcmd=891c scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0
  tclass=udp_socket permissive=0

"setenforce 0" on the device fixed the issue.

Bug: 34690009
Test: Policy compiles
Change-Id: Idc0d156ec32e7a9be3825c380c3cb0359fe4fabe

reflect the change from "mediaanalytics" to "mediametrics"

Also incorporates a broader access to the service -- e.g. anyone.
This reflects that a number of metrics submissions come from application
space and not only from our controlled, trusted media related processes.
The metrics service (in another commit) checks on the source of any
incoming metrics data and limits what is allowed from unprivileged
clients.

Bug: 34615027
Test: clean build, service running and accessible
Change-Id: I657c343ea1faed536c3ee1940f1e7a178e813a42

Bug: 34366227
Test: passthrough services successfully found
Change-Id: If2cad09edc42f01cc5a444229758ecdfe2017cf2

This CLs adds SElinux policies necessary to compile secondary dex files.

When an app loads secondary dex files via the base class loader the
files will get reported to PM. During maintance mode PM will compile the
secondary dex files which were used via the standard installd model
(fork, exec, change uid and lower capabilities).

What is needed:
dexoptanalyzer - needs to read the dex file and the boot image in order
to decide if we need to actually comppile.
dex2oat - needs to be able to create *.oat files next to the secondary
dex files.

Test: devices boots
      compilation of secondary dex files works without selinux denials
      cmd package compile --secondary-dex -f -m speed
com.google.android.gms

Bug: 32871170
Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45

Allow update_verifier to load the boot_control_hal in passthrough mode.

Test: update_verifier works, no denials
Bug: 34656553
Change-Id: I5c20ce67c8f1fd195f2429dae497221514ed95a8

system_server needs the permissions to open the lights hal in the same
process.

Bug: 34634317
Test: can change brightness on marlin (tested on internal master)
Change-Id: I11fe59b4ab32e13d6dad246f4e6c56951e051181

Addresses the following denial:

  avc: denied { read } for name="cache" dev="dm-0" ino=2755
  scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0
  tclass=lnk_file permissive=0

which occurs when a priv-app attempts to follow the /cache symlink. This
symlink occurs on devices which don't have a /cache partition, but
rather symlink /cache to /data/cache.

Bug: 34644911
Test: Policy compiles.
Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc

This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html

Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.

Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80

auditallow this until we track down where the file is opened without
O_APPEND.

01-23 08:02:12.272   555   555 W tombstoned: type=1400 audit(0.0:11480): avc: denied { write } for path="/data/anr/traces.txt" dev="sda35" ino=4669445 scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file permissive=0

Bug: http://b/34193533
Test: mma
Change-Id: I77b854dce06231232004432839ebd5aa963ef035

Merged-In: Id2b849d7fa22989225066ebe487fc98d319743ea
Bug: 34190490
Test: CTS in internal master
Change-Id: I27ab62469f3a405c59eda1a2a249899e845bed56

Delete rule for permission_service since we use packages.list instead.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: Ic69d0fe185e627a932bbf8e85fc13163077bbe6b

Test: pass
Change-Id: Ie1a6513f8fa9cb4b007fccefe63ccb78fcd45578