Applications connect to tombstoned via a unix domain socket and request
an open FD to which they can write their traces. This socket has a new
label (tombstoned_java_trace_socket) and appdomain and system_server are
given permissions to connect and write to it.

Apps no longer need permissions to open files under /data/anr/ and
these permissions will be withdrawn in a future change.

Bug: 32064548
Test: Manual

(cherry picked from commit a8832dabc7f3b7b2381760d2b95f81abf78db709)

Change-Id: I70a3e6e230268d12b454e849fa88418082269c4f

am: cd591483

Change-Id: If3b128bcc0dbeb043f9476c28334d83912ed53e4

am: e95974b0

Change-Id: I29eeb3ec90a67fe4377fe10f0884608a5fa52ea9

am: f23230c8

Change-Id: I2214556e60abce3bf0801bc01d86e8c481e44c38

am: c3f4afef

Change-Id: I8810383b62d3c678c289867a0e17732242ee6679

am: e589330e

Change-Id: I532d4b0ca606663a324dda1e65ce18175e808e7e

am: 75b99632

Change-Id: I272e173f63c6f30bfe5994e15fc4b0bf558535da

am: 032c6d61

Change-Id: Ibc245f943ad12afbc71f0d13be915120d2388529

am: 9ac5d01f

Change-Id: I31b6b74e498efd2a6f6795f91d6a39a000886061

am: 11b239f0  -s ours

Change-Id: Ifabe749bffbc196782476129fdc34bd746f64b47

am: 33d7e90b

Change-Id: I72b51db1d65df6a82b396187e982df1e4336c6be

* changes:
  Restrict BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to one dir.
  Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS

This reverts commit a015186f.

Bug: http://b/62101480
Change-Id: I8e889e3d50cf1749168acc526f8a8901717feb46

Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792

SELinux : avc:  denied  { find } for service=vrmanager pid=2364 uid=1027
scontext=u:r:nfc:s0 tcontext=u:object_r:vr_manager_service:s0
tclass=service_manager permissive=0

Test: manual
Bug: 35889571
Change-Id: If95bb5c286def99a0439b36a31b52fa9dfd4a2f4
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>

am: a9a3df31

Change-Id: I83c5170513890c90b576d6a07f4e7d73a400bae2

am: 62022c71

Change-Id: I3f7438d9883bf25c41674965b963c788df2c69ef

Cutting down on the number of attributes associated with each type
speeds up policy lookup times when there is an access vector cache
miss.

This change cuts down on the number of attributes associate with
system_server from 19 to 8. The total number of attributes is
reduced from 159 to 64.

Bug: 36508258
Test: build and boot Marlin
Change-Id: I8cdb6fb783ded869e88c5a9868fd7c8f838190f9

am: 3abc81ce

Change-Id: If6350ea61bd6447af7913a7b474e719e0f7707d3

am: d5a2f3e2

Change-Id: Ie35b0b80c929066186c35d31b8f8d803f374d969

These directories were added to allow for partner extensions to the
android framework without needing to add changes to the AOSP global
sepolicy.  There should only ever be one owner of the framework and
corresponding updates, so enforce this restriction to prevent
accidental accrual of policy in the system image.

Bug: 36467375
Test: Add public and private files to policy and verify that they are
added to the appropriate policy files.  Also test that specifying
multiple directories for public or private results in an error.

Change-Id: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
Merged-In: I397ca4e7d6c8233d1aefb2a23e7b44315052678f
(cherry picked from commit 1633da06)

Add new build variables for partner customization (additions) to platform sepolicy.
This allows partners to add their own policy without having to touch the AOSP sepolicy
directories and potentially disrupting compatibility with an AOSP system image.

Bug: 36467375
Test: Add public and private files to sailfish policy and verify that they are
added to the appropriate policy files, but that the policy is otherwise identical.
Also add private/mapping/*.cil files in both locations and change the BOARD_SEPOLICY_VERS
to trigger use of prebuilt mapping files and verify that they are appropriately
combined and built in policy.

Change-Id: I38efe2248520804a123603bb050bba75563fe45c
Merged-In: I38efe2248520804a123603bb050bba75563fe45c
(cherry picked from commit f893700c)

am: 99accb4a

Change-Id: I4f5d6f57fc4440c9b09a67e92fbda5d2d133fb62

am: 56719282

Change-Id: I96129052f94f0748a6a5a964959270c5a8a118e3

vendor implementations need to be able to run modprobe as part of
init.rc scripts.  They cannot do so because of the strict neverallow
currently in place that disallows all coredomains (including init)
to execute vendor toybox.

Fix this by adding init to the exception list for the neverallow so
vendors can then run modprobe from .rc scripts and also add the rule to
allow init to transition to modprobe domain using vendor_toolbox.

Bug: b/38212864
Test: Boot sailfish

Change-Id: Ib839246954e9002859f3ba986094f206bfead137
Signed-off-by: Sandeep Patil <sspatil@google.com>

am: aa15c0af

Change-Id: I2472fae6dec8202842dc35d36eb03248256dcd45

am: 1c8e8e0e

Change-Id: I45c6a937eea4a110c0137d1e1573fe50fd71f4cd

Merge "Let fallback crash dumping write to dumpstate pipes." am: 4a608d31 am: 0bcb92a5 am: b1cf5ae4
am: cebd95b6

Change-Id: I9fb4ddebd9e9cecc08f2dab47b3e90018cd12b6d

am: b1cf5ae4

Change-Id: If2351db2a2f76837f7081fc052b03dfbae877cf4

am: 0bcb92a5

Change-Id: I86ba3626798b4f1afc49c767ad756c8a3b1f9e75

am: 4a608d31

Change-Id: I1ac7b6ddaa3f6c7ee88426cf5ec6e6dec7bc8767

Fix the following denial:
    avc: denied { append } for pid=1093 comm="mediaextractor" path="pipe:[68438]" dev="pipefs" ino=68438 scontext=u:r:mediaextractor:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 ppid=1 pcomm="init" pgid=1 pgcomm="init"

Bug: http://b/38444258
Test: none
Change-Id: I58162e3a28b744a58396e77d6b0e2becb5633d6a
(cherry picked from commit 5efadd91)