am: 7c3dbfeb

Change-Id: I5480d47059b876ceffdf029ea14f6480516b43ef

am: cfcffa9a

Change-Id: I5979d4ea8a54944a7762cee2db04a078d0bd66bd

am: 37792cec

Change-Id: I469f6de852f10515148ef824c85ff2febf31322e

am: 82071b68

Change-Id: Ia3bd034033f82aaed63b173e5205e7449e2743ef

* changes:
  sepolicy: relabel /vendor
  Sepolicy: Add ASAN-Extract

am: 516c9abf

Change-Id: I59f1abcdb1f7184fc795c2164a5799e7ff7f4772

am: 63a93156

Change-Id: I26a67ce475de966ec979cf4dfddd8b3210802552

* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM

The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

Add selinux policies for init script and shell script to unzip a tar
containing ASAN libraries on boot.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address
Test: manual (build steps for tar missing)
Change-Id: I5c3cb233aae93ee9985431090af902b0e3c1b0a7
(cherry picked from commit 0b743050)
Merged-In: I5c3cb233aae93ee9985431090af902b0e3c1b0a7

am: 6821bb40

Change-Id: I90f1ae5f671cbf7bcdcab728dd0bfac673f95050

Test: adbd_test (with and without adb root)
  Note: one test fails without root with and without this change
        because of an unrelated shell selinux denial.
Test: adb screencap, pull, and verify
Test: Android Studio screenshot
Bug: 36643190
Change-Id: Ib534240bc9bb3a1f32b8865ca66db988902a0f4a

am: 6f108fd8

Change-Id: I98a793c05260b9f469902c17375693ef7c68b238

am: c0e6cb58

Change-Id: If2cc73c4f4b14fb46273b97aae151e735ccddaa0

Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f

am: ccbea503

Change-Id: I55fab2ec9b63c5d9393bd18d9c340030ee9f1cc5

am: abaf415c

Change-Id: I89396424e62a09f8e111212b920fc0897b6a517e

am: e311d669

Change-Id: Ibeb5854ca377048726b01288030a421e7f1a9bc2

am: 72f6219f

Change-Id: I93bd189fc07ee4386b1a1c14cf345ca739f9f64b

am: 8b080ee2

Change-Id: Ieba9f9055b78d349c883ca1132336c318e490b17

Wifi Keystore HAL is a HwBinder service (currently offered by keystore
daemon) which is used by Wifi Supplicant HAL. This commit thus
switches the SELinux policy of Wifi Keystore HAL to the approach used
for non-HAL HwBinder services.

The basic idea is simimilar to how we express Binder services in the
policy, with two tweaks: (1) we don't have 'hwservicemanager find' and
thus there's no add_hwservice macro, and (2) we need loosen the
coupling between core and vendor components. For example, it should be
possible to move a HwBinder service offered by a core component into
another core component, without having to update the SELinux policy of
the vendor image. We thus annotate all components offering HwBinder
service x across the core-vendor boundary with x_server, which enables
the policy of clients to contain rules of the form:
binder_call(mydomain, x_server), and, if the service uses IPC
callbacks, also binder_call(x_server, mydomain).

Test: mmm system/sepolicy
Test: sesearch indicates to changes to binder { call transfer} between
      keystore and hal_wifi_supplicant_default domains
Bug: 36896667

Change-Id: I45c4ce8159b63869d7bb6df5c812c5291776d892

am: 0dd37a3b

Change-Id: I91a8cfce767c1b280bbea788038cc8a24363f662

am: 8da8e872

Change-Id: I84e2d4d81892ee48d0e3db3875c9dd0b49f3ce2d

am: b5b6e0c5

Change-Id: Ie55c6153a4484921cf85bff0fc64e2b345715ae1

SELinux policy no longer has allow rules which permit core/non-vendor
domains to communicate with tee domain over sockets. This commit thus
removes tee from the list of temporary exceptions for the socket
communications prohibition.

Test: mmm system/sepolicy
Bug: 36714625
Bug: 36715266
Change-Id: Iccbd9ea0555b0c9f1cb6c5e0f5a6c0d3f8730b4d

Currently update_verifier only verifies the blocks when dm-verity is in
'enforcing' mode; and dm-verity will reboot the device upon detection of
errors. However, sometimes the verity mode is not guaranteed to be
correct. When mode is 'eio' for example, dm-verity will not trigger
a reboot but rather fail the read. So update_verifier need to take the
responsibility to reboot the device. Otherwise the device will continue
to boot without setting the flag "isSlotMarkedSuccessful".

Denial message:
update_verifier: type=1400 audit(0.0:18): avc: denied { write } for
name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0

Bug: 36260064
Test: powerctl property sets successfully

Change-Id: I1260e60f2ef4db50573e515ba95c332512c8ae62
(cherry picked from commit 0d8c1e0a)

Test: manual (verified no denials in basic telephony operations)
Bug: 36613472
Change-Id: I31274adee2cb6293102446cd2d6d547c50616836

am: ea53e29f

Change-Id: Ic6aa9fa02e28a6f35ad76a8387593ecd566929a7

am: 64c8aa96

Change-Id: I1260e60f2ef4db50573e515ba95c332512c8ae62

am: 6429e000

Change-Id: I14d24ef85a8409adaffe4073e3697d21a2c2f05f