Change sepolicy permissions to now classify hostapd as a HAL exposing
HIDL interface.

Sepolicy denial for accessing /data/vendor/misc/wifi/hostapd:
12-27 23:40:55.913  4952  4952 W hostapd : type=1400 audit(0.0:19): avc:
denied { write } for name="hostapd" dev="sda13" ino=4587601
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

01-02 19:07:16.938  5791  5791 W hostapd : type=1400 audit(0.0:31): avc:
denied { search } for name="net" dev="sysfs" ino=30521
scontext=u:r:hal_wifi_hostapd_default:s0
tcontext=u:object_r:sysfs_net:s0 tclass=dir permissive=0

Bug: 36646171
Test: Device boots up and able to turn on SoftAp.
Change-Id: Ibacfcc938deab40096b54b8d0e608d53ca91b947

This reverts commit 07dd2c9e.

Reason for revert: albacore build broken

Change-Id: I551b1d8c008f01fb815e42b59d397feb9672b8e6

am: 7b271ce4

Change-Id: I01c4b4e966eae6e15f05997c2f1404db70df6f92

am: 9cb71cc9

Change-Id: Ia2337645bebf20575a391d6abd2b5b70659f1787

am: 1d2c3f44

Change-Id: Ic874243cb997d588df01d5099d3c25f14ffd2119

am: 4e15697e  -s ours

Change-Id: I143328c403bb48fa08560bb6b851e312ed1e48f8

am: 145d2d11

Change-Id: I52cd2febe6aaac3a9c65e94f1ee4d0d56513b4d1

am: 193b1ab3

Change-Id: Iee7632fde0be5301347d6f7e41d3b81c5de37c85

Bug: 71861796
Test: no more denials on walleye for shell init scripts
Change-Id: I51eab267c95a915f927b0aaa7db9d678a83093c7

am: 2beb8915

Change-Id: Idfe7ef49572476508ef52391f221029d662ffad8

am: 02dbf4e0

Change-Id: I4977f4c114c304d8a84c081f963644c3b3e4019d

am: 43303c8b

Change-Id: I5e085251c1ccfd8206e421c9b0276a2add385171

Bug: 38206971
Test: test on phone
Change-Id: Id34ab2673c7a16744fba77eb5c176e2e8b474299
Merged-In: Id34ab2673c7a16744fba77eb5c176e2e8b474299

/proc/net/xt_qtaguid is used by apps to track their network data
use. Limit access to just zygote spawned processes - apps and
system_server, omitting access to isolated_app which is not allowed
to create network sockets.
As Android moves to eBPF for app's network data stats, access to
/proc/net/xt_qtaguid will be removed entirely. Segmenting access off
is the first step.
Bug: 68774956

This change also helps further segment and whitelist access to
files in /proc/net and is a step in the lockdown of /proc/net.
Bug: 9496886

Test: boot Taimen. Walk through setup-wizard. Make phone call and
    video call. Browse web. Watch youtube. Navigate in maps.
Test: cts-tradefed run cts -m CtsAppSecurityHostTestCases -t \
    android.appsecurity.cts.AppSecurityTests
Test: cts-tradefed run cts -m CtsNativeNetTestCases
Test: cts-tradefed run cts -m CtsIncidentHostTestCases -t \
    com.android.server.cts.NetstatsIncidentTest
Test: cts-tradefed run cts -m CtsOsTestCases -t \
    android.os.cts.StrictModeTest
Test: cts-tradefed run cts -m CtsNetTestCases -t \
    android.net.cts.TrafficStatsTest
Test: cts-tradefed run cts -m CtsUsageStatsTestCases -t \
    android.app.usage.cts.NetworkUsageStatsTest
Test: vts-tradefed run vts -m VtsQtaguidTest
Change-Id: Idddd318c56b84564142d37b11dcc225a2f2800ea

am: f00d0563

Change-Id: Id6276f733fb5d52b2437927e13343d40c7d53007

am: 42f8d7b2

Change-Id: I76914b2339e3e1e53601ab2156a2fad6e70a6b46

am: 70d2bb43

Change-Id: I431de9cf6745203ef5c34b5c9e807df6bbac59f5

am: 43416421

Change-Id: I0c2dc5bb6385596b2eefadc26ade7cfe70bb9fe0

am: 98bc5730

Change-Id: I1af4b3012237e5ca48b3d382be4343e4d019093d

Update statsd sepolicies to avoid selinux violations during cts tests and pulling metrics am: e27af27f am: 955e543a
am: 941c04ac

Change-Id: I0b4408a14708e5cd657f483bb8802dc7e98ec913

am: 5f6aa039

Change-Id: I04ed395355e2f5244750585d26e5b4762a0c0a31

am: f9e7b002

Change-Id: I5749ef12d05909741209e012febdbb3a903932c9

Update statsd sepolicies to avoid selinux violations during cts tests and pulling metrics am: e27af27f
am: 955e543a

Change-Id: I8a9c4563ac6fc09e280e41c0bcef1d480f61e481

am: 73b9d8d8

Change-Id: Iaa17a95b76afdca7b7851728228b74b0d98a36fe

am: be7b1b4f

Change-Id: I58c660f564a39e2d60389d922a03966a9160e102

am: e27af27f

Change-Id: I40b4e204ec7d58c7d6971cf7e5e502e10011737a

* changes:
  vold_prepare_subdirs: grant chown
  statsd: annotate boot denials

Bug: 62041836
Test: sepolicy builds
Change-Id: Ie6052209b3901eaad8496b8fc9681421d7ee3c1c

Test: none
Change-Id: I42f2c2a09235d907b020c4924b91a3428f6c9d8e

Addresses:
avc: denied { chown } for comm="vold_prepare_su" capability=0
scontext=u:r:vold_prepare_subdirs:s0
tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability

Bug: 71796118
Test: build
Change-Id: I64b2f1ad8d6e0748c5820b8a37a4fc4f4101d1fb

Point logspam to its owner.

Bug: 71537285
Test: build
Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea

This CL lists all the exported platform properties in
private/exported_property_contexts.

Additionally accessing core_property_type from vendor components is
restricted.
Instead public_readable_property_type is used to allow vendor components
to read exported platform properties, and accessibility from
vendor_init is also specified explicitly.

Note that whitelisting would be applied only if
PRODUCT_COMPATIBLE_PROPERTY is set on.

Bug: 38146102
Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e

and pulling metrics

Bug: 63757906
Test: manual testing conducted
Change-Id: Ieba524ee676dfb4a457d39d025d203bf02a70831