This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7

vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.

Bug: 62875318
Test: boot walleye
Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6

This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283

This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39

This neverallow exception is not needed.

Bug: 62875318
Test: build walleye, bullhead
Change-Id: Ide37ef9fe7a0e1cc4a1809589f78052007698cf5

Test: n/a
Change-Id: I7c46d5f984955f963b668fe8d978e68e6b7b9a83

The exception for vendor_init in this neverallow was never needed.

Bug: 62875318
Test: Build walleye, bullhead
Change-Id: Iac2b57df30b376492851d7520994e0400a87f1e1

The current neverallow rules for compatible properties restrict
domains from write file permissions to the various property files.
This however is the wrong restriction, since only init actually writes
to these property files.  The correct restriction is to restrict 'set'
for 'property_service' as this change does.

Note there is already a restriction preventing {domain -init} from
writing to these files in domain.te.

Test: build
Change-Id: I19e13b0d084a240185d0f3f5195e54065dc20e09

We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9

Allow dumpstate & system server watchdog to dump statsd stacks.

Bug: 72461610
Test: m
Change-Id: I4c3472881da253f85d54b5e5b767b06e2618af9c

Merge "Allow binder call between statsd and healthd. Also allow statsd to find health hal service for battery metrics."

This should fix presubmit tests.

Bug: 72444813
Test: Built policy.
Change-Id: I5b8661b34c9417cd95cb0d6b688443dcbe0d1c0b

Since /product is an extension of /system, its file contexts should be
consistent with ones of /system.

Bug: 64195575
Test: tested installing a RRO, apps, priv-apps and permissions
Change-Id: I7560aaaed852ba07ebe1eb23b303301481c897f2

Bug: 64131518
Test: Compile and flash the device, check whether service vendor.radio-config-hal-1-0 starts
Change-Id: Id728658b4acdda87748259b74e6b7438f6283ea5

health hal service for battery metrics.

Test: cts test, manual test

Change-Id: I73a801f6970e25bee5921479f2f7078bcb1973a9

Test: manual testing
Change-Id: Ia97c956c08d2062af6b33622c6b61ca3810b0cb1

Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

This change will allow traceur to pass a file descriptor to another app
in order to allow that app to process trace data files. E.g. in the use
case that someone would like to email the traces they collected and pass
the trace data files to gmail, this will now be permitted.

Bug:68126425
Test: Traceur can pass fd's to untrusted apps for processing
Change-Id: If0507b5d1f06fd8400e04bd60e06a44153dc59b7

Do not let apps read /proc/uid_cpupower/time_in_state,
/proc/uid_cpupower/concurrent_active_time,
/proc/uid_cpupower/concurrent_policy_time.

b/71718257

Test: Check that they can't be read from the shell
    without root permissions and system_server was able
    to read them

Change-Id: I812694adfbb4630f7b56aa7096dc2e6dfb148b15

Now that the vendor_init mechanism is in place, this SELinux
restriction will disallow vendor init scripts from touching core data
files as intended with Treble.

Bug: 62875318
Test: None
Change-Id: Ifa50486c48551ba095d2ed8cc6570fc5040c172d

Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d

* changes:
  Allow mediaextractor to load libraries from apk_data_file
  Allow scanning extractor library directory

And remove a redundant rule.

Test: sesearch shows no changes to vold's sepolicy.
Change-Id: Icccc18696e98b999968ecbe0fb7862c35575a9b3