Docs: Misc fixes for CDD.

Cherrypick of 512299 from oreo-dev

Bug: 67405273

Test: make_cdd.py --version 8.0 --branch "oc-dev"
Change-Id: Icee371d41284f56ef6d9ad90ab8992c94134d5bd

Merge "Docs: Fix the wrong CDD IDs" into oc-mr1-dev

Merge "CDD: Require verified boot when device has enough RAM vs. good AES-crypto performance" into oc-mr1-dev

Merge "CDD: Require secure storage of lock screen credentials" into oc-mr1-dev

CDD: Require verified boot when device has enough RAM vs.
good AES-crypto performance

Update verified boot requirement to be MUST for devices that report
feature flag android.hardware.ram.normal

Bug: 35039737
Test: N/A
Change-Id: If7346873f92879a551935b55597762a46b5e89c8

Merge "CDD: Changes to measure biometric unlock security." into oc-mr1-dev

Merge "CDD: AES encrypt the encryption key by default" into oc-mr1-dev

CDD: Require secure storage of lock screen credentials

- With credential-based Factory Reset Protection, the
credential handle is stored on an unencrypted partition. To maintain
security guarantees, implementations must make sure that the handle
does not leak information about the credential.

Bug: 64209214
Test: n/a
Change-Id: I55f15cc75502016824d9307c03d947c4041744b0

CDD: Changes to measure biometric unlock security.

Adds imposter and spoof acceptance rate metrics for biometric based
unlocks, and mandates showing a disclosure of the risks involved when
an unlock modality does not meet the bar.

Bug: 66013719
Bug: 63910023
Test: N/A
Change-Id: I6a129481c0036c756f8c7d95cf3da1bab9f3f0f1

Docs: Fix the wrong CDD IDs

Change-Id: I6bd2307df02ef169fa641e4e0a4a24babdae7f6d
Bug: 69794136

CDD: AES encrypt the encryption key by default

For Android O-MR1 we are requiring that all encryption keys are
encrypted with AES by default, unless the user explicitly opts out.

Bug: 33744049
Change-Id: Ic74dcd960ef89b752f580bd2ce2e42acca643c1f
Test: Not necessary -- this is a policy change.

Docs: Move dev-specific reqs to Ch 2.

Test: python make_cdd.py --version <version-number>  --branch <mybranch>

Bug: 64164626
Merged-In: Ie091c0be79ad4a797f26a60e95ee2594f053f804
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
(cherry picked from commit 0ece682cb7f915f4289ba6d7b5c86957e6d5d276)
(cherry picked from commit d72cc3b7971126e352c0c8fd83693f458d3785ec)

CDD: add requirement for always-on VPN opt-out.

Require UI implementations to observe the always-on VPN opt-out manifest
flag in app manifest, if such implementation exists.

See VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON

Bug: 65561270
Test: N/A
Change-Id: Ie0b5ea506affbec0ab3b0268c2539bc0184721aa

Merge "Docs: Restructure section 9.8." into oc-dev

Merge "Docs: Restructure section 9.9." into oc-dev

Docs: Restructure section 9.9.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If35c39e10f621e1b9bad51eb9a89770815d2226d

Merge "Docs: Restructure section 9.14." into oc-dev

Docs: Restructure section 9.14.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I8f106180bb29452ce3de28ba100dcb76dae74737

Merge "Docs: Restructure section 9.6." into oc-dev

Docs: Restructure section 9.6.

Part of restructuring work for CDD.

Test: N/A

Bug: 64811960

Change-Id: I82b2f7099ec8811980b90b7a6969b5865fd25740

Merge "Docs: Restructure section 9.3." into oc-dev

Merge "Docs: Restructure section 9.11" into oc-dev

Docs: Restructure section 9.11

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I2d8ccd24e8572d397f38718088cc43274962bf12

Merge "Docs: Restructure section 9.12." into oc-dev

Merge "Docs: Restructure section 9.10." into oc-dev

Docs: Restructure section 9.10.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: Ic2ce057ffc3d072c4aacd52d4f0c8ebe578e9c61

Merge "Docs: Restructure section 9.4." into oc-dev

Merge "Docs: Restructure CDD section 9.1." into oc-dev

Docs: Restructure CDD section 9.1.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I912f83d868078cc90345766ce6dc5e05efc8078c

Docs: Restructure section 9.8.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I33113c2c4b5026ecd9155d5dc5c2a81743db3407

Merge "Docs: Restructure section 9.2." into oc-dev

Merge "Docs: Restructure section 9.13." into oc-dev

Merge "Docs: Restructure section 9.7." into oc-dev

Merge "Docs: Restructured section 9.5." into oc-dev

Docs: Restructure section 9.2.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I9cf7fbb4938b714682b434da196b2321a9b9bcea

Docs: Restructure section 9.13.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960

Change-Id: Icb98a0c74708c61cec94db74d04e17ec38ab819b

Docs: Restructure section 9.7.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I076fa1c1ce0a11ebc20e90e088cbd64b08046832

Docs: Restructured section 9.5.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If8e02513604ce19e695e0033ea5a98a6a2d5c00b

Merge "Docs: Restructure CDD section 9.0." into oc-dev

Docs: Restructure section 9.12.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I4402611e292482ed38e508716677c6b6c61be94d

Docs: Restructure section 9.3.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If9d5d1be2b256923d669efe6c66b9d901ba0513b

Docs: Restructure section 9.4.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I730c279f6067ad1002bb1c75dde664246f7eaa8d

Docs: Restructure CDD section 9.0.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I840ca61cace0f61fe85353fcedca0627a8647ca7

CDD: Add req for the trust agent escrow token system API

Add requirements to account for the new methods in
TrustAgentService that allow unlocking a device based on escrow
tokens.

Bug: 36237319
Test: Documentation update.
Change-Id: I38cec1d94bbcbcbf97782308dc800abf650d6532

CDD: Require checking the primary authentication periodically

- Added this requirement for the following reasons:
- Security; The supplemental unlocks are less secure than the primary
credential so limit the risk by periodically asking for the main
password.
- Usability; Make sure the user enters their primary knowledge factor
often enough not to forget it.

Bug: 38314942
Change-Id: I664813f58f5881c51500559eb7175fd759885d9e

Merge "CDD: Updated Kernel security requirements." into oc-dev

CDD: Updated Kernel security requirements.

Added requirements to make sure the Android ecosystem has
a minimum safe bar for kernel configurations.

Bug: 36371578
Test: N/A
Change-Id: Iea6207dfd5805392ea1bbdf232004d32cc19ff52

Merge "CDD:  Require indicating to the user the impact of TrustAgentService on screen locks." into oc-dev

Merge "CDD: Require user affordances to grant/revoke PACKAGE_USAGE_STATS permission." into oc-dev

CDD:  Require indicating to the user the impact of TrustAgentService
on screen locks.

TrustAgentService is able to change the behavior of screen locks, and
hence such a state has to be indicated to the end user in a more
transparent way.

Test: description only
Bug: 35849818
Change-Id: Id4e1cd29bbfc2e2c51ee0d852a30983a69c4786a

CDD: Require user affordances to grant/revoke PACKAGE_USAGE_STATS
permission.

Without the user-accessible mechanism, the android.app.usage package
APIs can't be granted/revoked despite the API documents for the
android.app.usage package multiple times referring to
"However, declaring the permission implies intention to use the API
and the user of the device can grant permission through the Settings
application."

Bug: 34107152
Test: N/A
Change-Id: Ie7385f54c024a72e943bf7b6d33b13d0b7ce6806

Merge "CDD: Require a default passcode to wrap the encryption key" into oc-dev

Merge "CDD: Add recommendations for Verified Boot" into oc-dev

CDD: Clarify requirement for alternative authentication method

- This update is to ensure that the authentication method, used for
secure lock screen, behaves as documented in SDK so that the related
APIs work correctly for third-party apps. 

Bug: 37426035

Change-Id: I01659d6cafce1654810bf6c3c76f1016f3bd6cce

CDD: Updated Privacy section with req. related to Ambient Sound Service.

Bug: 37323391
Test: N/A
Change-Id: I20380f9ec103ec140ceeadc3c63605e8fcb1fa0a

Merge "CDD: Require support for hardware-backed key attestation" into oc-dev

CDD: Require support for hardware-backed key attestation

- Attestation will provide a way for developers to verify off-device
that a particular key has the expected security properties.
- This is important for trustworthy security designs for particularly
sensitive applications, e.g. payment & banking.

Bug:33676518, 30974815
Change-Id: I92c39b69e26a7c7cd8c32dd4689de52b0cc8f1f0

CDD: Require a default passcode to wrap the encryption key

If the user has not specified a lock screen credential, the process for
recovering the disk encryption key should still be bound to Keymaster
and the root of trust, so that an attacker who changes the OS to an
unsigned OS can't easily recover the disk encryption key. A default
passcode is the easy way to achieve that.

Given this, we are changing "SHOULD" to "MUST".

Bug: 33744049
Change-Id: I8e5026f394a8e4e6902f2b86449b367b6668f13b

CDD: Add recommendations for Verified Boot

Android Verified Boot or AVB (aka Verified Boot 2.0) is added to
Android 8.0, replacing the old Verified Boot feature and improving
security including the rollback prevention feature.

AVB requires adding a new disk partition, so can only be applied to
new device launches. However we're adding recommendations to support
these new features and also highlighting that there is an open-source
implementation that can be used to support the features as Android
Verified Boot would allow better integrity of the Android security model
that app developers would rely on.

Bug: 33676518
Change-Id: I6ff469ae61387038094a71bef0fa82b6455d1308

Merge "CDD: Users or app developers MUST NOT change SELinux Policies." into oc-dev

CDD: Users or app developers MUST NOT change SELinux Policies.

SELinux is the mandatory access control system used by Android. The
security rules manage access to every part of the system. Allowing users
or developers to change SELinux policies could either:

1) Add new security holes, allowing the compromise of application or
user data; or
2) Improperly reduce functionality, which could prevent applications
from working properly and introduce bugs.

A stable SELinux implementation is in app developer and user's best
interest, as it ensure consistency across the Android ecosystem.

Bug: 34278546
Test: N/A
Change-Id: I690082859980083f3cd4305e86da5ff100baec5e

Merge "Docs: Add missing newline at EOF" into oc-dev

Merge "CDD: Require privileged permissions only to be granted when explicitly whitelisted per app/permission" into oc-dev

CDD: Require privileged permissions only to be granted when explicitly
whitelisted per app/permission

This is to ensure that the standard android permission model is kept
consistent as documented in the Android SDK.
See https://developer.android.com/guide/topics/permissions/requesting.html
and https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_PRIVILEGED

Bug:33499917
Test: manual
Change-Id: Ie1f18dcb6cfb6d4a5329b0f0eb52f7feb3ed9a7e

Docs: Add missing newline at EOF

Test: N/A
Change-Id: Ia22922cd8affb795e435748b362718b2ceab6f23

CDD: Updated VPN disclosure requirements for privacy

The AOSP implementation of Android 8.0, have made improvements to the
VPN user interface in order to better emphasize the risk differences
between VPNs and root CAs by making the VPN user interface of the
warning explicit as to what is happening.

Bug: 36031671
Test: N/A
Change-Id: I50bf21e18fe893fa8deeb741096fde1ff66e8cdf

Merge "CDD: Require checking the primary authentication periodically" into oc-dev

CDD: Requirement for retention duration of user selection history.

Rewords "retention length" to "retention period".

bug: 33423136

Test: skipped.
Change-Id: I79a7660a835a698546aac8821ff0c9e34184e9f6

CDD: Require checking the primary authentication periodically

- Added this requirement for the following reasons:
- Security; The supplemental unlocks are less secure than the primary
credential so limit the risk by periodically asking for the main password. 
- Usability; Make sure the user enters their primary knowledge factor
often enough not to forget it.

Bug: 38314942
Change-Id: I708bd3db39868ad42d7ec4ad9632b2982c3979b6

Merge "CDD: "Clarify what are the conditions to be met in order       to be classified as hadware backed and secure hardware"." into nougat-dev am: 5deade678c am: cccf899295 am: 1f7d211904 am: 391d200a1c
am: 3610398310

Change-Id: Ic18d751736e1b833b714519101d2a8bc4a33a0b7

Merge "CDD: "Clarify what are the conditions to be met in order       to be classified as hadware backed and secure hardware"." into nougat-dev
am: 5deade678c

Change-Id: I9ba5054974bd9b04ce5061a00cf6977a7dd6527e

CDD: "Clarify what are the conditions to be met in order
      to be classified as hadware backed and secure hardware".

Bug: 34343011
Change-Id: Iae36445e9eaad40704ab500d26cab4b94d8dd592

CDD: Requirement for retention duration of user selection history.

Android 8.0 introduces the Smart sharing API, it learns about users'
personalized sharing preferences and better understands for each type of
content which are the right apps to share with. To support this API,
device implementations MUST keep a reasonable retention length of users'
sharing histories. It is Strongly Recommended to use the default
retention length.

bug: 33423136

Test: skipped.

Change-Id: I94bc1278aa2bfd11dce728e96bba61aa380d139b

CDD: Clarified hardware-backed keystore requirement.

Bug: 35126445
Change-Id: Ie6ebddc9e242ab3bb508235a49d210dcbeed21a6
(cherry picked from commit 82acfb1241373cfe6f59a88a7f10b24d3c26c95a)

CDD: Clarified hardware-backed keystore requirement.

Bug: 35126445
Change-Id: Ie6ebddc9e242ab3bb508235a49d210dcbeed21a6

Docs: Final cleanup for CDD source.

   - Fix rowspan in table in section 2.1.
   - Put markdown links on a single line.
   - Escape parentheses in URLs.
   - Fix some internal links with dashes instead of underscores.
   - Replace tabs with spaces.
   - Other misc. cleanup.

Bug: 32070486
Change-Id: Ie44202b5a0bfe7133505880a0a9c74f08a9bac1f

CDD:  Clarify that the system privileged permissions are not granted
      to all apps on the system image.

Since Android 6.0, as already documented in the SDK (https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_SYSTEM),
not all apps in the system image are granted privilged permissions.
This requirements clarifies what mechanism would be used to implement
what is described in the SDK.

BUG: 33111571
Change-Id: Ia9b78470d764e105cb6c7e0c76a163050ace2e99

Merge "CDD: Functionality to provide encryption support." into nyc-mr1-dev

CDD: Functionality to provide encryption support.

Some Device Policy Controller(DPC)s may use the
DevicePolicyManager.getStorageEncryptionStatus() and expect
ENCRYPTION_STATUS_ACTIVE only as the valid state, and would keep asking
the user to add a password upon getting the
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY state. While enabling,encryption
of the master key (i.e. enabling the secure boot) would have some
downside on the user experience upon when the device is rebooted etc.
Each enterprise might have their own security policy and should be able
to choose the trade-off of user experience in favor of the security
benefits.

BUG: 27207717
Change-Id: I2ee43f349395b9e86e4abce511497b66c2dc79dd

CDD: Require system privileged permissions to only be granted to apps
     pre-installed in the whitelisted path.

The system permissions should not be extended to any app, just because
it's part of the system image but restricted to apps that are planned
to be part of the system. The API name change in Android 6.0 from
PROTECTION_FLAG_SYSTEM to PROTECTION_FLAG_PRIVILEGED further
adds to this point.

BUG: 33111571
Change-Id: Ibee24f8e424dc844e8cb49d5a7a0b56c3e3801aa

Docs: Final cleanup for CDD source.

   - Fix rowspan in table in section 2.1.
   - Put markdown links on a single line.
   - Escape parentheses in URLs.
   - Fix some internal links with dashes instead of underscores.
   - Replace tabs with spaces.
   - Other misc. cleanup.

Bug: 32070486
Change-Id: Ie44202b5a0bfe7133505880a0a9c74f08a9bac1f

CDD: Clarify secure lock screen requirements.

As some device implementations started to add or modify the
authentication methods for the lock screen, and more APIs
are making an assumption on the security of the lock screen
credentials, we are clarifying the requirements of what
is a secure lock screen.

Bug: 27246863

Change-Id: I618999405a862125348758ae34a40701bfaa1b62

Docs: Fix list formatting.

Bug: 32070486
Change-Id: I1f57cd40a7018c3ac9125c8616df0647a56068e2

Docs: Fix link to seccomp-tsync material.

Bug: 32070486
Change-Id: I4bd044ce9dfcb7892f5bee1082e4a2dbe96f664c

Docs: Renumber duplicate section number.

Bug: 32070486
Change-Id: I19bd018ef4a9385792ef6f06ce86ca9ee76359fa

Merge "CDD: Require splitted mediaserver processes to improve security." into nyc-dev

CDD: Direct boot and FBE requirements

Android N provide support for filebase encryption, allowing files to be
encrypted with seperate keys bound to either the device or users'
credentials. This allows system processe that do not handle sensitive
user data (telephony, alarms, etc) to start before the user enters the
credentials and elimiate the double boot necessary for full disk
encryption.

This requires the following changes and afforances in the CDD:
- Sufficiently performant devices, with lockscreens, must use
  either FBE or FDE.
- Added Direct Boot Requirements
-- All Device must implement Direct Boot, regardless of encryption.
- Added FBE Requirements
-- DE anf CE keys must be bound to HW keystore and hardware
   root of trust (VB).
-- Must not be able to disable "secure startup" option on FBE
   devices. (In earlier versions of android the FDE implementation
   supported a "secure startup" option which required the user to
   provide their credentials before the device could boot. This option
   was disabled by default. FBE and Direct Boot provides a better
   solution and device implementations MUST NOT offer any method to
   unlock the CE protected storage without the user supplied
   credentials.)
-- MUST Support AES encryption as implemented in AOSP, MAY support
   others but AOSP MUST be used be default.
-- SHOULD make essential preloaded app directBootAware.

FDE requirements remain semantically unchanged, except it is not
required if the device implementaion use FBE.

Updated 3_10_accessibility to require that any pre-installed
accessibilty service MUST be direct boot aware on FBE devices.

BUG: 25897972
BUG: 27207717

Change-Id: I36fbce4937ebc161b09fdcb507db44f7b8990a3e

CDD: Require splitted mediaserver processes to improve security.

Android 7.0 has architectual changes to mediaserver. Previous versions
of android used a single, monolithic mediaserver process with great many
permissions (camera access, audio access, video driver access, etc).
Android 7.0 splits the mediaserver process into several new processes
that each require a much smaller set of permission.

This new architecture is secure and ensures that even if a process is
compromised, malicious code does not have access to the full set of
permissions previously held by mediaserver.

Bug: 28422586

Change-Id: I337c293b26fd9d6effc3ac8f22b2388e69452571

CDD: Location change for sepolicy on N.

Bug: 32003330
Bug: 28169245

Change-Id: I26778cdce481b073fcbfed94027b56ffd9b1366f

Docs: Spell check

Change-Id: If9bf9affdf9d0ebc38f2a675e05ef620e03417ae

Merge "CDD: Clarify req. to notify if data traffic can be monitored." into nyc-dev

Merge "CDD: Require consistent system-wide root CAs across all Android " into nyc-dev

CDD: Require consistent system-wide root CAs across all Android 

Android 7.0 is supporting the use case of apps to be configured with
app-specific root Certificate Authority (CA). Hence, now the policy
on the preinstalled root certificates in the system-trusted CA store
are more strictly enforced to make it harder to undermine the security
of the data communication from Android device implementations.

The guideline to handle public certificates are as below.

- Deprecated public CAs: MUST NOT be added.
- New public CAs not yet in AOSP: wait these public CAs to complete the
  Mozilla CA inclusion process and then file a feature request against
  Android (https://code.google.com/p/android/issues/entry to include the
  new public root CA to AOSP.
- private CAs that may be needed to securely access application servers
  or MNO(carrier) infrastructure, see:
  https://developer.android.com/training/articles/security-config.html

Bug: 18335321

Change-Id: I49bbc894c700d70d8049f9535550547fe1fce8e1

Merge "CDD: Introduce Safe Mode Requirements" into nyc-dev

CDD: Clarify req. to notify if data traffic can be monitored.

Bug: 27665217

Change-Id: Ie99bb1cee95e797b6acb40a096b3b006c52340a8

CDD: Introduce Safe Mode Requirements

Safe Mode, enabling users to boot into a state where only preinstalled
system apps are allowed to run, empowers the Android device users to
uninstall third-party apps.

The support of this mode is now STRONGLY RECOMMENDED as this mode can
be used to address cases where third-party apps might be interfering
with the user's capability to uninstall such apps.

Bug: 27337663

Change-Id: Ib921dc3ef7cca6db68d22e23d2063fdfb2877586

Merge "CDD: Add requirement for seccomp-BPF with TSYNC" into nyc-dev

Merge "CDD: Security measures to protect vehicle systems" into nyc-dev

Merge "CDD: Automotive device usable in guest account" into nyc-dev

CDD: Add requirement for seccomp-BPF with TSYNC

Bug: 21472592

Change-Id: I05c79bae3b370faa34e3738adf9ac205f9dce248