The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.

Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.

Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

Allow priv_app, uncrypt, update_engine to access the OTA packages at
/data/ota_package (both A/B and non-A/B). GMSCore (priv_app) checks
the existence of the folder, and downloads the package there if present.

Bug: 28944800
Change-Id: I3c0717861fce7f93b33874a99f6a4a55567612a5

Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5

A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.

The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps

Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037

Adds the rules for /data/cache used for devices which do
not have a cache partition.

Bug: 28747374
Change-Id: I7c749e7692c9b8eab02029bbae5a3c78585030da

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7

(cherry pick from commit 16fe52c9)

One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.

Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b

BUG: 27583869
Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d

... and client apps to read them.

A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png

System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps

Client apps will:
- Receive file descriptors and read from them.

Bug 27548047

Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b

When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

(cherry picked from commit 6cb2c893)

Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef

system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.

Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca

This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e

Bug: 27323882
Change-Id: Idf3977d74817c4f90f9e993d2e1e5302cc56f41d

Ringtones often live on shared media, which is now encrypted with CE
keys and not available until after the user is unlocked.  To improve
the user experience while locked, cache the default ringtone,
notification sound, and alarm sound in a DE storage area.

Also fix bug where wallpaper_file wasn't getting data_file_type.

Bug: 26730753
Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d

Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995

Bug 25454162

Change-Id: I3cd299ce28bf6235605265c47762969851845b78

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

Also narrowly specify the domain for the local transport's bookkeeping.

Bug 26834865

Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535

Bug 25454501

Change-Id: I31357e658ecdbcc69df47fbc2d22e4849dd1539b

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy and add a temporary typealias.

Change-Id: I144c0bb49a9a68ab1bdf636c64abe656f3e677b4
Signed-off-by: William Roberts <william.c.roberts@intel.com>

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158

Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4
(cherry picked from commit 8eaf2585)

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094

This allow bspatch to have same perssion as update_engine.

Also added a rule to allow update_engine to execute bspatch.

Bug: 24478450
Test: No more permission deny during delta update.

Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
(cherry picked from commit a10f789d)

Change-Id: I9496af008aa3ad1bf33fb5911c8dd711af219440