On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003

am: 45353737

Change-Id: Ifbd0f8bc238fe7ec49299b20dec36b0a07a580df

am: 72bdc353

Change-Id: I461829999d3413254a837ffb4612316d9d992acd

am: 5d0c2e41

Change-Id: I30a0587f8bb4a99a97ddce7d989302f9a89a02af

secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
  File: 'file_contexts'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 5508958     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/wcrobert)   Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
      ensure file is not regenerated. Also, ensure hikey builds and
      boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>

am: 81e48f97

Change-Id: I0f30763ac163bb5032d296097b346eec10ed2dc2

am: adabd898

Change-Id: I1eb82bf76bfef80bbb51e636d166e55a30b234bf

am: 987014c8

Change-Id: I97a2e56097ca2f4a23ae682afcb86c47d9fd8749

This adds mediacodec to the list of temporary exemptions from the "no
Binder in vendor" rule.

Test: mmm system/sepolicy
Bug: 35870313
Change-Id: I0f00d4bfb90d6da45ae2fed65864bb8fb0a4e78e

am: f91f369d

Change-Id: I58593c82cd9b7b1dc7fcdfa8916f4bf55a3d9ab4

am: 5d8fcf3b

Change-Id: I5f88b48df906acb9381dc853d61dcd5ef8d5e4e4

am: 73a6f38b

Change-Id: I24d9be712209ee22a33ae858001c4e38e0eb763a

am: f535a40d

Change-Id: I66da4d14a2388b1241b755280682f6e7d93d3830

am: e1742ef0

Change-Id: I007ae4064a8daf690b15bc5196131169727cbec9

am: 6b558dcb

Change-Id: I82c412038e43bb343dc355c9d1e56a11f6da6542

This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92

This is a follow-up to f5446eb1 where
I forgot to associate su and perfprofd domains with coredomain.

Test: mmm system/sepolicy
      sepolicy-analyze $OUT/root/sepolicy attribute coredomain
Bug: 35870313
Change-Id: I13f90693843f7c6fe9fea8e5332aa6dd9558478a

This couldn't be done in earlier because this domain does not yet exist
in AOSP master.

Test: mmm system/sepolicy -- no errors
Bug: 35870313
Change-Id: I323e5c22e471cd1900b88d0d1d4edfb5973a33d7

am: 49ce4394

Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26

am: 2fe065d7

Change-Id: Ieefcec5619fc2b941a675b473661dc561864ffc9

am: f5446eb1

Change-Id: I23d5d274ae05a9b0bdac6872be86c3f56aec734e

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

am: da6c88c9

Change-Id: I9b2c1457c7c8cf3a6c8edde11e4dad8883bbf34c

am: 3d12305d

Change-Id: Id45b1a26067b7525feabb029d5c98270d0c5994b

am: 93f99cb1

Change-Id: I877e23910bc424a2026bab1d9669bc6537ea5c31

am: 165c3701

Change-Id: I76b85c42d2a24810de78e56d6f9624eb8df04c90

am: 1ecff6fa

Change-Id: I9e4aefbdc5ec712164cb2946cda4b51a3967c8c3

am: 45afc7a6

Change-Id: I73d31158b87c68fa5b4ee80e33a397bb1be7c010

Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22

am: d7b8338e  -s ours

Change-Id: I66d268eb596277171a88377dad0e613a7497e3f4

am: 392c86e9

Change-Id: Id520704ad8a2be81648c33d2d1ef4a865badacd0

am: 4dd14f69

Change-Id: I60c3e0f1441aa4f548b1875e68f49c2047bf74e4

This fixes the following denial in O:

 update_engine: type=1400 audit(0.0:2100): avc: denied { sigkill } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=0

Bug: 35111618
Test: update_engine_client --cancel during postinstall
Change-Id: I7456a95b5ca6fbdb268a5e16a13e2409758141f5

am: 4c013db7

Change-Id: I77c714f588bdc78020af4e7dbf6a89d9e6792ca6