- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a

New procfs file read by storaged to dump fg/bg IO usage.

Remove kmsg rule since it's no longer used by storaged.

Allow storaged to find permission_service to translate UID
to package name.

Test: adb shell storaged -u
Bug: 34198239
Change-Id: I74654662c75571cbe166cf2b8cbab84828218cbd

This reverts commit 262edc38.

Fixes: 34370523
Change-Id: I077d064d4031d40bc48cb39eba310e6c16b9627d

New procfs file written by the system_server to communicate fg/bg
state of UIDs to switch the statistics counter sets used.

avc: denied { write } for name="set" dev="proc" ino=4026531862 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Test: builds, boots, counter sets updated
Bug: 34360629
Change-Id: I2efbfbba9e73f50ce50a80a3dffd3b14fa55c048

Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: I7881af8922834dc69b37dae3b06d921e05206564
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: 33746484
Test: Successfully boot with original service and property contexts.
      Successfully boot with split serivce and property contexts.

Change-Id: Ide67d37d85273c60b9e387e72fbeb87be6da306a
Signed-off-by: Sandeep Patil <sspatil@google.com>

This marks all HAL domain implementations with the haldomain attribute
so that rules can be written which apply to all HAL implementations.

This follows the pattern used for appdomain, netdomain and
bluetoothdomain.

Test: No change to policy according to sesearch.
Bug: 34180936
Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6

Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6

The following are the avc denials that are addressed:

avc: denied { call } for pid=889 comm="system_server"
scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0
tclass=binder permissive=0

avc: denied { call } for scontext=u:r:hal_gnss_default:s0
tcontext=u:r:system_server:s0 tclass=binder permissive=0

avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837
scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43"
ino=1837 scontext=u:r:hal_gnss_default:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug:31974439

Test: Checked that there no more related avc denial messages related to
the GNSS HAL in dmesg.

Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5

It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.

/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.

Bug: 33347297
Test: The phone boots without any apparent log spam.

Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb

Test: run a gtest in /data/nativetest/ with no permission denial
Change-Id: Id644ed7dbea59becaf84b6073c9144711ad07c10

Bug: 34231014
Test: Boot angler to ensure no additional denials are reported.

Change-Id: Ic2372d55f7072c65e7ea17036a8eb40dc531d60e
Signed-off-by: Sandeep Patil <sspatil@google.com>

Bug: http://b/34228376
Test: m
Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683

Test: builds
Bug: 32206268
Change-Id: I236105b029178f96da519c2295c66c686dcae7cb

Bug: 31972505
Test: VTS test passes, Bluetooth starts/stops
Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08

This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:

allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e

This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da

Bug: 33746381
Test: Device boots with no extra denials.
Change-Id: I2f0da92367851142e0d7df4afec8861ceaed9d3e

This is already provided in app.te via create_file_perms for
notdevfile_class_set.

Change-Id: I89ed3537fd1e167571fe259bd4804f8fcc937b95

All SELinux domains are already granted the ability to read the
filenames in /proc, so it's unnecessary to add it to storaged.te.

  $ grep "proc:dir r_dir_perms" public/domain.te
  allow domain proc:dir r_dir_perms;

Remove redundant rule.

Test: policy compiles.
Change-Id: I8779cda19176f7eb914778f131bb5b14e5b14448

Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate

Bug: 32221677

Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630

Allowing storaged for reading from pseudo filesystems and debugfs.

Bug: 32221677

Change-Id: I837cead9a68f0b399703b64d724cb9c4b205c335

No denials collected.

Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec

This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from system_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96

This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from isolated_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3

This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from priv_app_current
      attribute (as expected) except for
      allow priv_app_current update_engine_current:binder transfer;
      which is caused by public update_engine.te rules and will go
      away once update_engine rules go private.
Bug: 31364497

Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391

This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from untrusted_domain_current
      attribute (as expected).
Bug: 31364497

Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92

Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device.  Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.

Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0

Bring back file_contexts.bin.

Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>

/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.

Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:

1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive

While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.

Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49

Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c
Signed-off-by: Alexey Polyudov <apolyudov@google.com>

Adding sepoilcy for sensors.

Test: Sensors work.
Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255

Adding sepolicty for contexthub service.

Test: GTS tests pass.
Change-Id: I2576b8028d12a31151d7b7869679b853eb16c75e

This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.

The reason is that some of these properties may leak persistent
identifiers not resettable by the user.

Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472

ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.

Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c

Bring the context hub service advertised name into compliance with
the other Android services. This changes the name from
"contexthub_service" to "context".

Test: GTS tests pass.

Change-Id: I8490d60f89bdb97813e328b9ddf08270470fda76

Bug: 32123421
Test: full build/test of allocator hal using hidl_test
Change-Id: I253b4599b6fe6e7f4a2f5f55b34cdeed9e5d769b

This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7

- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
  userdebug logging

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c

Test: It's a comment -- no impact on build
Change-Id: Ibd7ff0dcd9d4c3d526ca20ab35dd4bac70d14f0a

Bug: 31077138
Test: Device boots, coverage service works when tested manually.
Change-Id: Ia855cfefd5c25be5d1d8db48908c04b3616b5504