* commit '9eb6c874':
  Revert "property_contexts: don't delete intermediate on failure"

* commit 'efcaecab':
  Revert "service_contexts: don't delete intermediate on failure"

* commit '23c42c38':
  service_contexts: don't delete intermediate on failure

* commit 'e6e94762':
  property_contexts: don't delete intermediate on failure

This reverts commit 7f81b337.

Change-Id: I79834d0ef3adbf2eed53b07d17160876e2a999c6

This reverts commit f6ee7a52.

Change-Id: I4f1396e6e4aeecd1109f9c24494c6e82645c0663

* commit '331c2e96':
  Add audit_read permission to capability2

In kernel 3.18 following error message is seen
since audit_read is added to capability2 at classmap.h
So add audit_read permission to capability2.

SELinux:  Permission audit_read in class capability2 not defined in policy.
SELinux: the above unknown classes and permissions will be denied

The kernel change from AOSP is:
https://android.googlesource.com/kernel/common/+/3a101b8de0d39403b2c7e5c23fd0b005668acf48%5E%21/security/selinux/include/classmap.h



Change-Id: I236fbb8ac575c5cb8df097014da6395e20378175
Signed-off-by: Woojung Min <wmin@nvidia.com>

When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>

When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.

Change-Id: I431d6f4494fa119c1873eab0e77f0eed3fb5754e
Signed-off-by: William Roberts <william.c.roberts@intel.com>

* commit '226caf49':
  Remove mediaserver sysfs write permissions.

* commit '3746a0ae':
  file_contexts: don't delete intermediate on failure

Currently, if an error is detected in a file_contexts
file, the intermediate file_context.tmp file is removed,
thus making debugging of build issues problematic.

Instead, employ checkfc tool during the compilation recipe
so the m4 concatenated intermediate is preserved on
failure.

Change-Id: Ic827385d3bc3434b6c2a9bba5313cd42b5f15599
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Mediaserver no longer appears, and maybe never did, need write
permission to sysfs files.
commit: 1de9c492 added auditing to
make sure this is the case, and such access has not been observed.
Remove the permissions and the associated auditallow rule to further
confine the mediaserver sandbox.

Bug: 22827371
Change-Id: I44ca1521b9791db027300aa84e54c074845aa735

* commit '483fd267':
  Enforce no persistent logging on user builds

For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a

* commit '9aa41303':
  asan: update condition to work with multiple SANITIZE_TARGET values.

The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.

Bug: 22850550
Change-Id: I953649186a7fae9b2495159237521f264d1de3b6

* commit 'eb8b2188':
  document the non-ART-related reasons for execmem

* commit 'a984a9bf':
  file_contexts: Change file_contexts to file_contexts.bin

* commit '05056457':
  adb: add adbd -> shell signal permissions.

Change-Id: I0c17b4e36a14afd24763343c09eaca650ea4cefd

adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.

Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4

Change-Id: I455fe33345dd1ae8dc49cb7b70cbf1e7c1b3e271

* commit 'c3712143':
  Allow system_server to bind ping sockets.

This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687
Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2

* commit 'b55f10e9':
  Fix perfprofd denial (simpleperf debugfs read).

Bug: http://b/23814810
Change-Id: I731bd70ec982e47b86befb32a9edcb71570e9d64

* commit '59c4aa75':
  auditallow gpu_device execute access

* commit '0243e5cf':
  system_server.te: remove policy load permissions

Remove system server's permission to dynamically update SELinux
policy on the device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: I3c64d64359060561102e1587531836b69cfeef00

* commit '008d7f14':
  Drop the default stanza from mac_permissions.xml

This permission appears to be unnecessary on some (most?) devices such
as the Nexus 5. It should be moved to the device policy if it's truly
required by the driver.

Change-Id: I531dc82ba9030b805db2b596e145be2afb324492

All non matching apps will simply receive the seinfo
label of "default" implicitly. No need to further
clarify things anymore with an explicit default stanza.

Change-Id: Ib7b01ee004775f24db9a69340a31784b967ce030
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>