Stopping hostapd abruptly with SIGKILL can sometimes leave the driver
in a poor state.  Long term, we should pro-actively go in and clean up
the driver.  In the short term, it helps tremendously to send SIGTERM
and give hostapd time to clean itself up.

Bug: 30311493
Test: With patches in this series, wificond can cleanly start and stop
      hostapd in integration tests.

Change-Id: Ic770c2fb1a1b636fced4620fe6e24d1c8dcdfeb8
(cherry picked from commit 762cb7c4)

Bug: 30292103
Change-Id: I433f2b8cc912b42bf026f6e908fd458a07c41fc2
Test: Integration tests reveal wificond can start/stop hostapd.
(cherry picked from commit 1faa9c55)

Bug: 30311493
Test: hostapd starts and stops reliably without complaining about
      permission to create the control directory, the control socket,
      or write to the control socket.

Change-Id: If8cf57cce5df2c6af06c8b7f28708e40876e948c
(cherry picked from commit cbabe363)

We need the ability to set file permissions, create files, write
files, chown files.

Test: integration tests that start/stop hostapd and write its config
      file via wificond pass without SELinux denials.
Bug: 30040724

Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c
(cherry picked from commit f83da142)

 wificond: type=1400 audit(0.0:43): avc: denied { create } for
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

 wificond: type=1400 audit(0.0:44):
 avc: denied { setopt } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:45):
 avc: denied { net_admin } for capability=12 scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=capability permissive=1

 wificond: type=1400 audit(0.0:46):
 avc: denied { bind } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:47):
 avc: denied { write } for scontext=u:r:wificond:s0
 tcontext=u:r:wificond:s0 tclass=netlink_socket permissive=1

 wificond: type=1400 audit(0.0:48):
 avc: denied { read } for path="socket:[35892]" dev="sockfs" ino=35892
 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=netlink_socket
 permissive=1

TEST=compile and run

Change-Id: I5e1befabca7388d5b2145f49462e5cff872d9f43
(cherry picked from commit 781cfd82)

While here, remove a lot of extra permissions that we apparently
had because hostapd was inheriting fds from netd.

Bug: 30041118
Test: netd can request init to start/stop hostapd without denials.

Change-Id: Ia777497443a4226a201030eccb9dfc5a40f015dd
(cherry picked from commit 8a6c5f85)

WifiStateMachin: type=1400 audit(0.0:24): avc: denied { call } for
scontext=u:r:system_server:s0 tcontext=u:r:wificond:s0 tclass=binder
permissive=0

Bug: 29607308
Test: Above denial disapears

Change-Id: I9b5cfe414683991ffb6308eea612ca6750f1b8ec
(cherry picked from commit 71fb20be)

avc: denied { create } for scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0

avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0
tcontext=u:r:wificond:s0 tclass=capability permissive=0

avc: denied { read } for name="psched" dev="proc" ino=4026535377
scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file
permissive=0

Test: fixes above avc denials
Bug: 29579539

Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b
(cherry picked from commit b6a6561d)

wificond would like to be able to set WiFi related properties
without access to the rest of the system properties.  Today,
this only involves marking the driver as loaded or unloaded.

avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0

Bug: 29579539
Test: No avc denials related to system properties across
      various WiFi events.

Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
(cherry picked from commit 1ebfdd6a)

avc: denied { write } for name="fwpath" dev="sysfs" ino=6863
scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0
tclass=file permissive=0

Test: wificond and netd can write to this path, wifi works
Test: `runtest frameworks-wifi` passes

Bug: 29579539

Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994
(cherry picked from commit 7d13dd80)

Add the necessary permissions for |wpa_supplicant| to expose a binder
interface. This binder interface will be used by the newly added
|wificond| service (and potentially system_server).
|wpa_supplicant| also needs to invoke binder callbacks on |wificond|.

Changes in the CL:
1. Allow |wpa_supplicant| to register binder service.
2. Allow |wpa_supplicant| to invoke binder calls on |wificond|.
3. Allow |wificond| to invoke binder calls on |wpa_supplicant|

Denials:
06-30 08:14:42.788   400   400 E SELinux : avc:  denied  { add } for
service=wpa_supplicant pid=20756 uid=1010 scontext=u:r:wpa:s0
tcontext=u:object_r:default_android_service:s0 tclass=service_manager
permissive=1

BUG:29877467
TEST: Compiled and ensured that the selinux denials are no longer
present in logs.
TEST: Ran integration test to find the service.

Change-Id: Ib78d8e820fc81b2c3d9260e1c877c5faa9f1f662
(cherry picked from commit 18883a93)

This allows wificond to publish binder interface using
service manager.

Denial warnings:

wificond: type=1400 audit(0.0:8): avc:
denied { call } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

wificond: type=1400 audit(0.0:9): avc:
denied { transfer } for scontext=u:r:wificond:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=1

servicemanager: type=1400
audit(0.0:10): avc: denied { search } for name="6085" dev="proc"
ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=dir permissive=1

servicemanager: type=1400
audit(0.0:11): avc: denied { read } for name="current" dev="proc"
ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0
tclass=file permissive=1

servicemanager: type=1400
audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current"
dev="proc" ino=40641 scontext=u:r:servicemanager:s0
tcontext=u:r:wificond:s0 tclass=file permissive=1

servicemanager: type=1400
audit(0.0:13): avc: denied { getattr } for
scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process
permissive=1

SELinux : avc:  denied  { add } for
service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0
tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1

BUG=28867093
TEST=compile
TEST=use a client to call wificond service through binder

Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f
(cherry picked from commit d56bcb1c)

This sepolicy change allows wificond to run as a deamon.

BUG=28865186
TEST=compile
TEST=compile with ag/1059605
  Add wificond to '/target/product/base.mk'
  Adb shell ps -A | grep 'wificond'

Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d
(cherry picked from commit 4ef44a61)

am: f247dcba

Change-Id: Ie24129d68ee32fe0178dd0fe4aea4208e72f050f

Bug: 28746284
Change-Id: I59aa235ecba05e22aaa531e387a77f47267ac9ae

am: a67411c9

Change-Id: If2ab59c09b2ccf444281fdf9003e36119eb7295f

Bug: 28746284
Change-Id: Ib5e294402c549d8ed6764722220484c5655951a9

Ports check_seapp to pcre2.

Change-Id: If3faac5b911765a66eab074f7da2511624c3fc97

am: a15ea578  -s ours

Change-Id: I8acaaf29d6cd06291c45f3a1fb2e246718543922

Ports check_seapp to pcre2.

Merged-In: Ib9977326cfbb19ce143b04504f41afb884f2ec17
Bug: 24091652
Change-Id: Ib9977326cfbb19ce143b04504f41afb884f2ec17

am: c3774720

Change-Id: I7ffbc6c1d4213fe68c52ded884bd9db9f6b37fb1

Specifically we need init to relabel (/dev/device-mapper, /dev/block/dm-?)
and other files in /dev/block/* from tmpfs to dm_device and block_device
respectively.

BUG=27805372

Change-Id: I16af6e803f8e4150481137aba24d5406872f9c62

am: 89a8ed4e

Change-Id: I3733a74a23b3ece3a38fa2d7a2b3ea996f95c87f

am: c0937b6e

Change-Id: I06890bb6755d084f37bf6fb6564e4e1abeac8c06

Bug: http://b/30699558
Change-Id: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69
Merged-In: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69

Change-Id: I21dbd14d4e1bd89619e6fff91a85ed3fba02c324

The recovery flow for A/B devices allows to sideload an OTA downloaded
to a desktop and apply from recovery. This patch allows the "recovery"
context to perform all the operations required to apply an update as
update_engine would do in the background. These rules are now extracted
into a new attributte called update_engine_common shared between
recovery and update_engine.

Bug: 27178350
Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a

Change-Id: I2593e100bdad420d0d988fbaeb8d2ec259b8df1d

Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f

Change-Id: I16706423534069f69bd0305ac500a9cd74db55a6

These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd

am: 2b33112a

Change-Id: I08987ae7229ebbbbcf980be4aaef2eb8fb7e24da

boolean and setenforce macros are not used in base policy
and cannot be used in any policy, since they violate
neverallow rules.

Remove these from the policy.

Change-Id: Icc0780eaf06e95af36306031e1f615b05cb79869
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: 19b6485f

Change-Id: I0574ab7e70a8b3d906a5b11368239d58d1d64e70

With v4.8+ kernels, CAP_WAKE_ALARM is needed to set
alarmtimers via timerfd (this change is likely to be
backported to stable as well).

However, with selinux enabled, we also need to allow
the capability on the system_server so this enables it.

Change-Id: I7cd64d587906f3fbc8a129d48a4db07373c74c7e
Signed-off-by: John Stultz <john.stultz@linaro.org>