Bug: 37896931
Test: none, just update prebuilt.
Change-Id: Id940d1c2bc46deab1eb49bacebbb41069e2034e4

When moving SELinux rules from file_contexts to genfs_contexts, we
added some genfs rules to label specific files.  It turns out that one
of those files was the prefix of some other files, and since genfs
does prefix-labeling, those other files had their labels changed.

To fix this, we are changing the whole tracefs /instances/wifi from
debugfs_tracing_instances to debugfs_wifi_tracing (a few of the files
already had this label).  This simplifies the rules.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that the files
have the correct context and that wifi, camera, and traceur work.

Change-Id: Id62db079f439ae8c531b44d1184eea26d5b760c3

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"

am: 8b0f89e4

Change-Id: I6a75dc96a8e5994f22a8776a413d8a6a01da4fdd

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"

Merge "Merge "Preserve attributes needed for CTS" into oc-dr1-dev am: 1eff6417 am: d006aea0  -s ours"

am: 8b0f89e4

Change-Id: I02aefb28ad044dc7d85956156fde638c101bdbe5

Merge "Merge "Preserve attributes needed for CTS" into oc-dr1-dev am: 1eff6417 am: d006aea0  -s ours"

am: d006aea0  -s ours

Change-Id: Ie76a6c836163a8755507232b5b493a24a7b84da8

am: d006aea0  -s ours

Change-Id: Ifce7d19ce6469f5526a2e4d2b40db07c6524e368

Merge "Merge changes from topic 'am-52eed220ada34c3aba959fcbb20dfeab' into oc-dr1-dev-plus-aosp am: c436013b  -s ours"

am: c436013b  -s ours

Change-Id: I8af59aba167dfd27cd4773eb573978d539dec1ff

am: c436013b  -s ours

Change-Id: I89a0c3cfab8e44218b7978c32c577717df522069

Commit: b8f7a408 removed three
attributes from public policy.  These attributes could be assigned
to vendor types, and so need to be kept in policy when combined with
vendor policy of that version.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I7d71ef7795f8b82c214c2ef72478c3ca84d1869c

am: 407e9457

Change-Id: If277928809ec2bcaf7f72ef9cba5dd5d45d333ca

am: 453f4a51

Change-Id: Iff9292a4a92fdd78eebdf2ec5fab8d571fc755f6

am: ca5bb337

Change-Id: I185d127216ee72821c64daf31601fdcbe1a9c069

am: 1eff6417

Change-Id: I095df5cbd680d495fac54186ab16e2287d454c3a

Commit: 4dc88795 changed the label of
uid_time_in_state from proc to proc_uid_time_in_state.  This file
could have been used by vendor services.  Add a compat mapping.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I2e5222c4d4fe12cb0bbc4e85ba53c1f59b714d61

Merge "remove mke2fs rules from global file_contexts am: 0d32323c  -s ours am: 7acd39d2  -s ours"

* changes:
  remove mke2fs rules from global file_contexts am: 0d32323c  -s ours am: 91748747  -s ours
  move e2fs tools from /sbin to /system/bin am: ae047956 am: a8beb22e  -s ours

am: 7acd39d2  -s ours

Change-Id: I16bc3700ae6e363512b647a4f4f8c9d6646e5066

am: 91748747  -s ours

Change-Id: Ic1c432a08d80a03f574676b50b1805e2e0f7bc09

am: a8beb22e  -s ours

Change-Id: Icb5f4e4dec18f62df41d0e89ffa4909a74a5fa63

am: 91748747  -s ours

Change-Id: If702e73a84560aa6dd98b95113f5c2798636c5f7

am: a8beb22e  -s ours

Change-Id: Id5fdb2f361a0ef1757c0db18dfacb18914b826b3

* changes:
  remove mke2fs rules from global file_contexts am: 0d32323c  -s ours
  move e2fs tools from /sbin to /system/bin am: ae047956

am: 0d32323c  -s ours

Change-Id: I2283da4878b60860400d31eaff019faef2b2c888

am: ae047956

Change-Id: I6b61f896f97bfe7ed9d2dfeb876d76e0101e093a

am: 0d32323c  -s ours

Change-Id: I9cb9b52f452394a32c51ec2aefd502e21896c61d

am: ae047956

Change-Id: Id8c7b9ab97ad80332b65fd02ba9ca61e67dac218

Address "granted" audit messages for dumpstate use of df.

avc: granted { getattr } for comm="df" path="/mnt" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir
avc: granted { search } for comm="df" name="/" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir

Bug: 28760354
Test: Build, check logs.
Change-Id: I920948a5f0bce1b4bd2f15779730df8b3b1fea5a

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Merged-In: I989def70a16f66e7a18bef1191510793fbe9cb8c
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

Change fb889f23 "Force expand all hal_* attributes" annotated all
hal_* attributes to be expanded to their associated types. However
some of these attributes are used in CTS for neverallow checking.
Mark these attributes to be preserved.

In addition, remove the hacky workaround introduced in oc-dev
for b/62658302 where extraneous neverallow rules were introduced
to prevent unused or negated attributes from being auto-expanded
from policy.

Bug: 62658302
Bug: 63135903
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    armeabi-v7a CtsSecurityHostTestCases completed in 4s.
    501 passed, 0 failed, 0 not executed
Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c