Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197

am: 53047f6d

Change-Id: I6e4dac9c891dae5318651a8a44fd7da34e86964c

am: e2acb915

Change-Id: I86368e4febe04d7dddc718316c1788c46f6ecb74

am: ad38a45c

Change-Id: I0d974996ee28e0cff0a5a59de66ce2247c1c254a

In f5446eb1 I forgot to let violators
of "no Binder in vendor" rule keep their access to /dev/binder. This
commit fixes the issue.

Test: mmm system/sepolicy
Bug: 35870313
Bug: 36657020
Change-Id: I3fc68df1d78e2a2da94ac9bf036a51923e3a9aae

am: ab1fad17

Change-Id: I4c7ea7e2bd41950d5203660af7058895b83870ab

am: 2f4df755

Change-Id: I4a273520e7a5a92f5739f413d8773ddb3c6a259a

am: 915c0070

Change-Id: I6899ca877d1ccf0a3d475fd34cfffc00eacdf23d

am: d34c7eef

Change-Id: Ieb708734a6578e9f7bc43731e6b297704f8f3937

am: aa5feec9

Change-Id: I3ba818c67e9134161dfd9c74d9fdb52f0bd51bef

am: 5a9410cf

Change-Id: I4cf02d403a045bce6da96939406a886197f5a1a5

On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003

am: a4960ef9

Change-Id: Ia6fbb2aae4d5c66e868e43b279748a7a96ae3bf7

am: 92229884

Change-Id: Idd03a8f1a6b3a315ee6be221ea7d91b06be9477e

am: 3f724c95

Change-Id: Ia390c3537b7efe897154380ee836dbb7ac0ed742

This is a special file that can be mounted as a loopback device to
exercise adoptable storage code on devices that don't have valid
physical media.  For example, they may only support storage media
through a USB OTG port that is being used for an adb connection.

avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Bug: 34903607
Change-Id: I84721ec0e9495189a7d850461875df1839826212

Moves selinux policy build decisions to system/sepolicy/Android.mk.
This is done because the PRODUCT_FULL_TREBLE variable isn't available
in embedded.mk and TARGET_SANITIZE isn't available to dependencies of
init.

Test: Build/boot Bullhead PRODUCT_FULL_TREBLE=false
Test: Build/boot Marlin PRODUCT_FULL_TREBLE=true
Test: Build Marlin TARGET_SANITIZE=address. Verify asan rules are
      included in policy output.
Bug: 36138508
Change-Id: I20a25ffdfbe2b28e7e0f3e090a4df321e85e1235

am: d33a51c3

Change-Id: Ife99cd6fc85b77ea77ca1edc9a8c741ee0d204ee

am: a6152592

Change-Id: I7f1ad41abd96abaef416d4cb3352fa475cffff5d

am: 2224f30a

Change-Id: I184272269fed360807e41a1cac1fe099477685e6

am: 518e14e6

Change-Id: I2b9c58cf3e7f583d8a099545696f06e741e7d2b2

am: 5ebf1975

Change-Id: I1033e791b718bd1c374885f3a16b176994bb957f

am: 133d5298

Change-Id: I934f58768bd30de9c62d33e83b6a1b60f0d0fb9b

Per loop(4), this device is the preferred way of allocating new
loop devices since Linux 3.1.

avc: denied { read write } for name="loop-control" dev="tmpfs" ino=15221 scontext=u:r:vold:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0

Bug: 34903607
Change-Id: I1f5f62cf0a1c24c6f6453100004812af4b8e1503

am: 45353737

Change-Id: Ifbd0f8bc238fe7ec49299b20dec36b0a07a580df

am: 72bdc353

Change-Id: I461829999d3413254a837ffb4612316d9d992acd

am: 5d0c2e41

Change-Id: I30a0587f8bb4a99a97ddce7d989302f9a89a02af

secilc is being used without -f which is causing a file_contexts
file to be generated in the root of the tree where the build tools
run:

$ stat $T/file_contexts
  File: 'file_contexts'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fc00h/64512d	Inode: 5508958     Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/wcrobert)   Gid: ( 1000/wcrobert)
Access: 2017-03-23 11:23:41.691538047 -0700
Modify: 2017-03-23 11:23:41.691538047 -0700
Change: 2017-03-23 11:23:41.691538047 -0700

Test: remove $T/file_contexts, touch a policy file and make sepolicy,
      ensure file is not regenerated. Also, ensure hikey builds and
      boots.

Change-Id: I0d15338a540dba0194c65a1436647c7d38fe3c79
Signed-off-by: William Roberts <william.c.roberts@intel.com>

Bug: 36546152
Bug: 36278706

Test: `adb shell screencap ...` and pull and visually verify image.
Change-Id: Iab2ddcfc145cb7f55104cd8f1ce0d58286bca282

am: 81e48f97

Change-Id: I0f30763ac163bb5032d296097b346eec10ed2dc2

am: adabd898

Change-Id: I1eb82bf76bfef80bbb51e636d166e55a30b234bf