avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3

am: 733609da

Change-Id: I248cfa3b85774569123a3b3f7e8d3c068005b7fc

am: 14a3cb28

Change-Id: Ib3b7dc9a8a702a32330ccb31f22cf746df8764fb

am: 5ee87b00

Change-Id: Id2dc995f88a60fe865387453234e3630a9975381

am: abb1ba65

Change-Id: I7765bfd350deb50847e83a1d3b5d7399206b4b9d

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: I47b4e79260bcd2967d85d8151c83e624d432f409

This reverts commit 527f64e6.

Change-Id: Ibc48af53431a8f7c7211999dcb571f492fb5ddb4

Test that:
- File types on /sys have attr sysfs_type
- File types on /sys/kernel/debug have attr debugfs_type
- File types on /data have attr data_file_type

Test: build policy
Change-Id: Ie4f1f1c7e5345da0999082962f084fdac6b85428

am: b3bdba4d

Change-Id: I4d3a71a1ffd2004e3ac85d89686d24e00c112d6e

am: 78c58c79

Change-Id: I93ab700661ddad141f2ff9973187bb5b72ffad78

am: 5c383688

Change-Id: Iaf28a1b178427e5b2bd13f45485cc3504464f6fc

am: 77fe1de7

Change-Id: I71b4bca350a9a29dd45dfafe8c3d1938cb54a46f

am: b236eb6c

Change-Id: I87eb8bad11fc9c011289b8d97219835a08d18cd1

am: b236eb6c

Change-Id: I60a92781a5b923889e627d73e8922aca2607b67b

[    7.674739] selinux: selinux_android_file_context: Error getting
file context handle (No such file or directory)

Bug: 62564629
Test: build and flash marlin. Successfully switch between regular
    and recovery modes

Change-Id: I0f871f8842d95322c844fb7b13ad1b4b42578e35

commit: 5c6a227e added the oc-dev
sepolicy prebuilts (api 26.0), but did not include the corresponding
base mapping file, which is to be maintained along with current
platform development in order to ensure backwards compatibility.

Bug: 37896931
Test: none, this just copies the old mapping file to prebuilts.
Change-Id: Ia5c36ddab036352845878178fa9c6a9d649d238f

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug 36588803

Change-Id: Ia57dbbc3987d8858c932103c4e546cbb88893207

am: ef0ab603

Change-Id: I0c55b9a8301f6b0264ccf578258422995a0c8b84

am: 508921c4

Change-Id: I86ff1c1cd66a6d3e7955436923f25e47c1098a01

am: aee782ca

Change-Id: I9210f221529abc0195dc39d198b042d02ca223ab

am: 82658116

Change-Id: I653ab6e4d8ff7a859ac489d4b05fdddb0668ae4e

am: 7a68c5ae

Change-Id: Ic9f658984340b255114bb0f8d505fa6774f1cb04

am: 7a68c5ae

Change-Id: Ide9c5ccdc2002972f311c9829c573b98f12fea44

am: 2703f3ee

Change-Id: I2130641f315522740c150f4a22f8a4fe20a9a085

am: f965a0a1

Change-Id: I444ffb0b0e03fc718acbf6a82bac1501fa725c5f

A previous commit (a83e0cc) already labels these with genfs_context,
which has better performance.

Bug: 62413700
Test: Built, flashed, and booted.  Verified that the files have
the correct context.

Change-Id: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53

This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275

This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1

This change is primarily to fix CTS which checks file ordering of
file_contexts. Having two separate means of loading file_contexts
has resulted in ordering variations.

Previously the binary file_contexts was preferred since it
loaded faster. However with the move to libpcre2, there is no
difference in loading time between text and binary file_contexts.
This leaves us with build system complexity with no benefit.
Thus removing this unnecessary difference between devices.

Bug: 38502071
Test: build and boot non-Treble Bullhead, run CTS tests below
Test: build and boot Treble Marlin, run CTS tests below
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testAospFileContexts
Test: cts-tradefed run singleCommand cts --skip-device-info \
    --skip-preconditions --skip-connectivity-check --abi arm64-v8a \
    --module CtsSecurityHostTestCases \
    -t android.security.cts.SELinuxHostTest#testValidFileContexts
Change-Id: I088b3aeafaaab320f6658feb058a1fb89cbb65e1

am: d782dffa

Change-Id: Ia96da46def754c3a8fcc909d3e3823db2ce77c3b

am: 6aa9869a

Change-Id: I5ee6145cfa3c6701450f2984eacdde41ccd505ec