Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22

This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.

Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).

Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
      motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936

This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5

This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf

The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.

Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602  3809  3809 I mtpd    : Starting pppd (pppox = 9)
03-17 15:41:22.628  3811  3811 I pppd    : Using PPPoX (socket = 9)
03-17 15:41:22.637  3811  3811 I pppd    : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639  3811  3811 I pppd    : Using interface ppp0
03-17 15:41:22.639  3811  3811 I pppd    : Connect: ppp0 <-->
03-17 15:41:22.770  3811  3811 I pppd    : CHAP authentication succeeded
03-17 15:41:22.909  3811  3811 I pppd    : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065  3811  3811 I pppd    : local  IP address 172.16.36.113
03-17 15:41:23.065  3811  3811 I pppd    : remote IP address 172.16.36.1
03-17 15:41:23.065  3811  3811 I pppd    : primary   DNS address 8.8.8.8
03-17 15:41:23.065  3811  3811 I pppd    : secondary DNS address 91.239.100.100

Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927

Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed

Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.

Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581

This switches most remaining HALs to the _client/_server approach.
To unblock efforts blocked on majority of HALs having to use this
model, this change does not remove unnecessary rules from clients of
these HALs. That work will be performed in follow-up commits. This
commit only adds allow rules and thus does not break existing
functionality.

The HALs not yet on the _client/_server model after this commit are:
* Allocator HAL, because it's non-trivial to declare all apps except
  isolated apps as clients of this HAL, which they are.
* Boot HAL, because it's still on the non-attributized model and I'm
  waiting for update_engine folks to answer a couple of questions
  which will let me refactor the policy of this HAL.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: Device boots in recovery mode, no new denials
Bug: 34170079
Change-Id: I03e6bcec2fa02f14bdf17d11f7367b62c68a14b9

Test: take a screenshot
Test: run CTS ImageReaderTest
Bug: 36194109

(cherry picked from commit 49ed0cd6)

Change-Id: I331bce37b35e30084ba9f7ecd063a344a79c5232

The secondary dex files are application dex files which gets reported
back to the framework when using BaseDexClassLoader.

Also, give dex2oat lock permissions as it needs to lock the profile
during compilation.

Example of SElinux denial:
03-15 12:38:46.967  7529  7529 I profman : type=1400 audit(0.0:225):
avc: denied { read } for
path="/data/data/com.google.android.googlequicksearchbox/files/velour/verified_jars/JDM5LaUbYP1JPOLzJ81GLzg_1.jar.prof"
dev="sda35" ino=877915 scontext=u:r:profman:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1

Test: adb shell cmd package bg-dexopt-job works for sercondary dex files
Bug: 26719109
Change-Id: Ie1890d8e36c062450bd6c54f4399fc0730767dbf

This change defines new policy for modprobe (/sbin/modprobe) that should
be used in both recovery and android mode.

Denials:
[   16.986440] c0    437 audit: type=1400 audit(6138546.943:5): avc:
denied  { read } for  pid=437 comm="modprobe" name="modules" dev="proc"
ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986521] c0    437 audit: type=1400 audit(6138546.943:6): avc:
denied  { open } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1
[   16.986544] c0    437 audit: type=1400 audit(6138546.943:7): avc:
denied  { getattr } for  pid=437 comm="modprobe" path="/proc/modules"
dev="proc" ino=4026532405 scontext=u:object_r:modprobe:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=1

Bug: 35633646
Test: Build and tested it works in sailfish recovery. The modprobe is
invoked in init.rc (at the end of 'on init') with following command line

    exec u:r:modprobe:s0 -- /sbin/modprobe -a nilfs2 ftl

Change-Id: Ie70be6f918bea6059f806e2eb38cd48229facafa

bufferhubd should be able to use sync fence fd from mediacodec; and
mediacodec should be able to use a gralloc buffer fd from the bufferhubd.

Bug: 32213311
Test: Ran exoplayer_demo and verify mediacodec can plumb buffer through
bufferhub.

Change-Id: Id175827c56c33890ecce33865b0b1167d872fc56

Test: no log spam for graphics allocator
Test: dmesg | audit2allow does not show denial for
hal_graphics_allocator_default
Test: system is responsive after boot (because
      android.hardware.graphics.allocator@2.0::IAllocator getService()
      will not be blocked)

Bug: 36220026
Change-Id: I3e103f88988fe4a94888e92ee8c5b1f27845ad9e

Policy intermediates are being placed in a seemingly random
intermediates directories.

Currently:
out/target/product/marlin/obj_arm/SHARED_LIBRARIES/libsoftkeymaster_intermediates

Instead, place intermediates in the sepolicy_intermediates dir.

Test: intermediates now placed in:
out/target/product/marlin/obj/ETC/sepolicy_intermediates
Test: Marlin builds, no change to sepolicy on device.
Bug: 36269118

Change-Id: Ib6e9d9033be4dc8db0cc66cb47d9dc35d38703fe

This file is no longer needed because it was needed for supporting
reloadable/dynamic SELinux policy which is no longer supported.

Test: Clean build, flash, device boots without additional denials.
      Reboot to recovery works, no additional denials.
Bug: 33642277
Change-Id: I7fffe2fd12f586ed9b3ae54e35d17abdebbe7bce

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

Test: build
Bug: 36229129
Change-Id: I0654ce44f344729b0bb1f8716afa151e134fdc6a

Allow run-as to transmit unix_stream_sockets from the shell user to
Android apps. This is needed for Android Studio's profiling tool to
allow communcation between apps and debugging tools which run as the
shell user.

Bug: 35672396
Test: Functionality was tested by shukang
Test: policy compiles.
Change-Id: I2cc2e4cd5b9071cbc7d6f6b5b0b71595fecb455e

This switches Sensors HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Sensors HAL.

Domains which are clients of Sensors HAL, such as system_server, are
granted rules targeting hal_sensors only when the Sensors HAL runs in
passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_sensors are
not granted to client domains.

Domains which offer a binderized implementation of Sensors HAL, such
as hal_sensors_default domain, are always granted rules targeting
hal_sensors.

P. S. This commit also removes
  allow system_server sensors_device:chr_file rw_file_perms
because this is device-specific and thus not needed in device-agnostic
policy. The device-specific policy of the affected devices already has
this rule.

Test: Device boots, no new denials
Test: adb shell dumpsys sensorservice
      lists tons of sensors
Test: Proprietary sensors test app indicates that there are sensors
      and that the app can register to listen for updates for sensors
      and that such updates arrive to the app.
Bug: 34170079
Change-Id: I61bf779070eabcb64ae73724d62b6e837319a668

Only audio HAL may access audio driver.
Only camera HAL may access camera driver.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625
Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3

Only HALs that manage networks need network capabilities and network
sockets.

Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow
      rules are compile time assertions and do not change the
      on-device policy.
Bug: 36185625

Change-Id: Id64846eac24cf72ed91ce775cecb2c75f11b78df

This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

This change was previously reverted because it affected the location
of property_contexts in recovery. Now that we have separate tagets for
recovery (see ec78c377), this change
no longer affects is recovery.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.

Test: cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a --module CtsSecurityHostTestCases \
      -t android.security.cts.SELinuxHostTest#testAospPropertyContexts

      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).

Test: Clean build, flash, device boots with no additional denials.
      Rebooting to recovery, recovery boots fine with no denials.
      This test was performed on bullhead (non A/B device) and sailfish
      (A/B device).
Bug: 36002573

(cherry picked from commit 4cb628a3)

Change-Id: I0b145c58669fb31bc39d57f36eef1190425a8328

This ensures that SELinux policy artifact needed by recovery at
runtime have targets in this build script. This is to make
recoveryimage/bootimage targets depend on these artifacts explicitly,
which reduces the element of surprise. Moreover, this enables us to
move non-recovery artifacts around without affecting recovery
artifacts.

Test: Clean build, flash, device boots just fine, no new denials.
      Reboot to recovery, recovery boots just fine, no denials.
      This was tested on bullhead (non A/B device) and sailfish (A/B
      device).
Bug: 33642277
Change-Id: I3c494d9d7fec5c4f487d38964e572757fcf67f57

Allows the following denials:
     avc: denied { use } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:r:tombstoned:s0 tclass=fd permissive=1
     avc: denied { append } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file permissive=1

Bug: http://b/36156624
Test: killall -ABRT media.codec
Test: killall -ABRT media.extractor
Change-Id: I3dde1879b44e3e63c747a3ff8dd4bf213cb8afb6

Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756  1345  1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787  1345  1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167

Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9

Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
      /vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414

Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6

Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.

Test: make clean && make sepolicy.recovery, then confirm that
      repolicy.recovery is identical to the one produced prior to this
      change.
Test: Clean build, flash, device boots up fine, no new denials. Device
      also boots into recovery just fine, no denials.
Bug: 31363362

Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7

This reverts commit 4cb628a3.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
      and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7