am: a2e9664c

Change-Id: I184d353b6ca0c8e5b712da11b4de777e04a5b79f

am: eca32251

Change-Id: I22930eb5a18047b235b6d1028a3fc49e5a6b0989

Test: adb kill-server && adb shell dumpsys storaged
Bug: 36492915
Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9

am: 02d9d21d

Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66

This CL changes the policy for ASAN files on-disk to support the
changes made by the following CLs -
https://android-review.googlesource.com/#/c/359087/
https://android-review.googlesource.com/#/c/359389/

which refactor the on-disk layout of sanitized libraries in the following
manner -
/data/lib* --> /data/asan/system/lib*
/data/vendor/* --> /data/asan/vendor/*

There are a couple of advantages to this, including better isolation
from other components, and more transparent linker renaming and
SELinux policies.

Bug: 36574794
Bug: 36674745
Test: m -j40 && SANITIZE_TARGET="address" m -j40 and the device
boots. All sanitized libraries are correctly located in /data/asan/*,
and have the right SELinux permissions.

Change-Id: Ib08e360cecc8d77754a768a9af0f7db35d6921a9

am: 32815389

Change-Id: Id6cc5e3c1dc6b098f893b566dcbf09fc29973162

am: 7eb3dd3b

Change-Id: Iafaa3fd315533c4cb49847d927d2c7cbae71bb51

* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM

am: ad38a45c

Change-Id: I0d974996ee28e0cff0a5a59de66ce2247c1c254a

am: 915c0070

Change-Id: I6899ca877d1ccf0a3d475fd34cfffc00eacdf23d

am: 5a9410cf

Change-Id: I4cf02d403a045bce6da96939406a886197f5a1a5

am: 3f724c95

Change-Id: Ia390c3537b7efe897154380ee836dbb7ac0ed742

This is a special file that can be mounted as a loopback device to
exercise adoptable storage code on devices that don't have valid
physical media.  For example, they may only support storage media
through a USB OTG port that is being used for an adb connection.

avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Bug: 34903607
Change-Id: I84721ec0e9495189a7d850461875df1839826212

Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
      included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235

am: 2224f30a

Change-Id: I184272269fed360807e41a1cac1fe099477685e6

am: 133d5298

Change-Id: I934f58768bd30de9c62d33e83b6a1b60f0d0fb9b

Per loop(4), this device is the preferred way of allocating new
loop devices since Linux 3.1.

avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 34903607
Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503

am: 5d0c2e41

Change-Id: I30a0587f8bb4a99a97ddce7d989302f9a89a02af

secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
  File: 'file_contexts'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 5508958     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/wcrobert)   Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
      ensure file is not regenerated. Also, ensure hikey builds and
      boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 36546152
Bug: 36278706

Test: `adb shell screencap ...` and pull and visually verify image.
Change-Id: Iab2ddcfc145cb7f55104cd8f1ce0d58286bca282

am: 987014c8

Change-Id: I97a2e56097ca2f4a23ae682afcb86c47d9fd8749

Test: `adb shell am hang --allow-restart` -> Watchdog dumps
  hal traces (eventually)
Bug: 36414311

Change-Id: I57e6875998b1f06a7deec1b8774facb75148d2c1

am: 73a6f38b

Change-Id: I24d9be712209ee22a33ae858001c4e38e0eb763a

am: 6b558dcb

Change-Id: I82c412038e43bb343dc355c9d1e56a11f6da6542

This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92

This is a follow-up to f5446eb1 where
I forgot to associate su and perfprofd domains with coredomain.

Test: mmm system/sepolicy
      sepolicy-analyze $OUT/root/sepolicy attribute coredomain
Bug: 35870313
Change-Id: I13f90693843f7c6fe9fea8e5332aa6dd9558478a

am: f5446eb1

Change-Id: I23d5d274ae05a9b0bdac6872be86c3f56aec734e

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

am: 93f99cb1

Change-Id: I877e23910bc424a2026bab1d9669bc6537ea5c31