Right now, the hwcomposer hidl hal is unable to figure out where
to get the hidl mapper implementation.

It is expected that all graphics composer objects will need this
permission. The interfaces are written to work together with the
"IMapper" being the same-process ("sphal") component and the
"IComposer" interface being the binderized compoenent.

10-09 00:24:38.900   457   457 E SELinux : avc:  denied  { find } for
interface=android.hardware.graphics.mapper::IMapper pid=495
scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:hal_graphics_mapper_hwservice:s0 tclass=hwservice_manager

Test: boot marlin, denial no longer present.
Bug: 38415912
Change-Id: I1b274be10e115fa7b53fb81e85be8827da05997e

Underlying data services setup no longer needs this

Bug: 35757613
Bug: 36085168
Test: GPS, XTRA & avc denial checks
Change-Id: I679ee70f65f34d5a7d1fc1f1fe92af6a92ec92c5

Update SE Policy to allow calls to and callbacks from Wifi Offload HAL
HIDL binderized service.
Combined cherry pick from d56aa1982d15acfc2408271138dac43f1e5dc987
and 66e27bf5

Bug: 32842314
Test: Unit tests, Mannual test to ensure Wifi can be brought up and
connected to an AP, ensure that Offload HAL service is running and that
that wificond can get the service handle by calling hwservicemanager.

Change-Id: I0fc51a4152f1891c8d88967e75d45ded115e766e

This hidl service provides information about vsync and hotplug
to vendor services which is required by at least some camera
hal implementations.

Test: VtsFwkDisplayServiceV1_0TargetTest
Test: no denials
Bug: 38311538
Change-Id: I64f0321e2832facf987057f0d48940e269d8e2d9

Disallowing other HALs access to video_device does not appear to be
enforceable.

(cherry picked from commit c26dd18a)

Bug: 37669506
Test: build policy. Neverallow rules are build time test and do not
      impact the policy binary.
Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a

This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.

Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
      permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea
Merged-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

Bug: 35628284
Change-Id: I08877ac117212325b1259f7d90a4c0cb1dac2d9f
Fix: 38233550
Test: Build and boot
Merged-In: I4cdacb601e0eea1f5f0e721c568c7ee04298704f

Bug: 34766843
Change-Id: I5be615d818ecf999fec6514ce9b89ff6a7f13cd6
Fix: 38232801
Test: Build and boot
Merged-In: Ice78aedfdbe82477a84252499a76dad37887fe6b

Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.

Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d

This reverts commit 8c60f74d.

Bug: 38242876
Change-Id: Iba5a94d16901dc0c52f1941972c26877baa4805c

Specify per-service rules for PDX transport. Now being able to
grant permissions to individual services provided by processes,
not all services of a process.

Also tighter control over which permissions are required for
client and server for individual components of IPC (endpoints,
channels, etc).

Bug: 37646189
Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

This is needed for devices using configfs, where init listens for
sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts
sideloading, minadbd (forked from recovery) sets the property to trigger
that action.

avc:  denied  { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0
scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0
tclass=property_service

Bug: 35803743
Test: Device shows up in sideload mode.
Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4

New binder kernel changes extend the areas where
binder will set real-time scheduling priorities
on threads; to make sure the driver can correctly
determine whether a process is allowed to run
at real-time priority or not, add the capability
to the services that need it.

Bug: 37293077
Test: processes run at real-time prio on incoming
      real-time binder calls.

Change-Id: Ia4b3e5ecb1f5e18e7272bdaaad5c31a856719633

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device
Merged-In: I77d347c019ac93c3ba0d54ce50f0fdc243b04685

Change-Id: Ia0531f715ae5f8b2599153e54a11e9eb4ee47d4b

Remove SELinux access from domain_deprecated. Access to SELinux APIs can
be granted on a per-domain basis.

Remove appdomain access to SELinux APIs. SELinux APIs are not public and
are not intended for application use. In particular, some exploits poll
on /sys/fs/selinux/enforce to determine if the attack was successful,
and we want to ensure that the behavior isn't allowed. This access was
only granted in the past for CTS purposes, but all the relevant CTS
tests have been moved to the shell domain.

Bug: 27756382
Bug: 28760354
Test: Device boots and no obvious problems. No collected denials.
Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

In the init scripts for socket, the type can have a suffix of
"+cred" to request that the socket be bound to report SO_PASSCRED
credentials on socket transactions.  Here we add socket setopt
to selinux rules.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: I37cdf7eea93c3e8fa52964e765eaf3007e431b1f

When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 37993476
Test: check contents of media.audio_flinger section in
      a bugreport captured on Pixel device

Change-Id: I77d347c019ac93c3ba0d54ce50f0fdc243b04685

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376
(cherry picked from commit a0d3ff8e)

This is needed by linker to be able to load libraries from memfd
which currently generated following denial:
avc: denied { getattr } for path=2F6D656D66643A666F6F626172202864656C6574656429 dev="tmpfs" ino=902079 scontext=u:r:shell:s0 tcontext=u:object_r:shell_tmpfs:s0 tclass=file permissive=0

Bug: http://b/37245203
Bug: http://b/37916741
Test: builds
Change-Id: I5b57b6cada50a62657c8daaaaaa56f1ee9cdb376

Whether a device is full Treble or not, omx should be able to
access vndbinder

Test: (sanity) oc-dev marlin boots + YouTube + lshal
Fixes: 37528973
Change-Id: Idd734b42c7dfe3e09e544680a6893b03910ecd3e

Bug:  37713584
Test: With GtsMediaTestCases.apk installed, try:
      adb shell am instrument -w
      -e class 'com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC'
      'com.google.android.media.gts/android.support.test.runner.AndroidJUnitRunner'

Change-Id: Icc2066e9d9bbc5c020b6d694e9627487771ef35e

The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
(cherry picked from commit 639a2b84)

Test: Play Music over BT headset
Bug: 37640821
Change-Id: I1fe6c9a289315dc0118888e19250cd64aee9a0d5

Test: bit FrameworksCoreTests:android.view.textclassifier.TextClassificationManagerTest
Bug: 34780396
Change-Id: I8b98fef913df571e55474ea2529f71750874941c

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
(cherry picked from commit ad41fa8d)

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

These were missing when the sepolicy was migrated.

Addresses denials:

E SELinux : avc:  denied  { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0

Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file

Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d

Test: manual
Bug: 37640900
Change-Id: I6987d60c1eb1578134b51f4e7417700fd462ba4d
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

Test: gts-tradefed run gts -m GtsMediaTestCases -t com.google.android.media.gts.MediaPlayerTest#testLLAMA_H264_BASELINE_240P_800_DOWNLOADED_V0_SYNC

bug:37548390
Change-Id: I9c2d446118d3a5f729730b75ec117954e383159b

This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260

vr_wm functionality is moved in VrCore, so remove this service.

Bug: 37542947, 36506799
Test: Ran on device and verified there are no permission errors while in
VR
Change-Id: I37fd34e96babec2a990600907f61da8c358ecc89

Allow the services to do binder calls to system_server in order to check
for app permissions.

Bug: 37542947
Test: Compiled and ran on device ensuring no permission errors
Change-Id: If91895607eb118f689cf2e11c63945e9f83bf2a0

The types need to be exported so userdebug system.img
can still build the policy with a user vendor.img at boot time.
All permissions and attributes for these types are still kept under
conditional userdebug_or_eng macro

Bug: 37433251
Test: Boot sailfish-user build with generic_arm64_ab system.img on
      sailfish and make sure sepolicy compilation succeeds

Change-Id: I98e8428c414546dfc74641700d4846edcf9355b1
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 37152880
Bug: 37554633
Test: adb shell am hang --allow-restart
Test: adb shell dumpstate
Change-Id: Ie68607f3e3245a40056bdde7dd810ddf212b4295

This lets dumpstate obtain the list of currently registered HwBinder
services.

Test: adb bugreport -- no denials to do with dumpstate access to
      hwservicemanager list functionality.
Bug: 37554633

Change-Id: I95512168948ca45a0dd830c20922e3c776ffaf41