As of https://android-review.googlesource.com/324092, ephemeral_app is
now an appdomain, so places where both appdomain and ephemeral_app are
granted the same set of rules can be deleted.

Test: policy compiles.
Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415

Bug: 30222631
Change-Id: I30ad019872881e21f61a53e4397112ea0e99688b

Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d

Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1

Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

Bug: 28348382
Change-Id: Iaab1430750dfbb997900d3d70993c9fff2a8745d

Bug: 28049120
Change-Id: Id288092402f36daafc3347db9b62d341a1de2eb3

Bug: 27323882
Change-Id: Idf3977d74817c4f90f9e993d2e1e5302cc56f41d

Remove all permissions not observed during testing.

Remove domain_deprecated

Bug: 27064332
Change-Id: Ie154af70aaf255721b46d29357e48d5337020b4b

Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls

Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/asound/irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/asound/irq_affinity" dev="proc" ino=4026536760 scontext=u:r:audioserver:s0 tcontext=u:object_r:proc:s0 tclass=file

Change-Id: Iaa8843bb4e8b19d001520fcd45d35e666bf48271

camera_device didn't really offer much in terms of control considering
that most domains that need camera_device, also need video_device and
vice versa.

Thus, drop camera_device from the policy.
Change-Id: If438610ac6998399719ab375210c023320d0b7ed

Neverallow access to privileged commands.

Change-Id: I443be5bbcd8cdf55e23c2c4d8fee93c4ebf30e55

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d