shamu isn't booting.

This reverts commit 46e832f5.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca

Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9

Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448

Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9

Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad

Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5

Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e

Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e

Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e

Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25

needs to call addAuthToken

Change-Id: If519df61448f19dfafab254668c17eea6c161ea4

We have a /media directory on expanded storage that behaves just
like internal storage, and has a FUSE daemon running above it.

avc: denied { search } for name="expand" dev="tmpfs" ino=3130 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0

Bug: 19993667
Change-Id: I771ecb8f2808c48ccf4139ac9cfc2a48a2332fec

Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.

Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95

Google Breakpad (crash reporter for Chrome) relies on ptrace
functionality. Without the ability to ptrace, the crash reporter
tool is broken.

Addresses the following denial:

  type=1400 audit(1428619926.939:1181): avc: denied { ptrace } for pid=10077 comm="CrRendererMain" scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:r:isolated_app:s0:c512,c768 tclass=process permissive=0

This reverts commit e9623d8f.

Bug: 20150694
Bug: https://code.google.com/p/chromium/issues/detail?id=475270
Change-Id: I1727c6a93f10ea6db877687a8f81ec789f9e501f

Add rules that allow installd to move private app data between
internal and expanded storage devices.  For now we'll be reusing
the "cp" binary using android_fork_execvp(), so grant access to
devpts.

avc: denied { read write } for name="14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1

avc: denied { read } for name="com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { open } for path="/data/data/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { create } for name="com.android.opengl.shaders_cache" scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1
avc: denied { read write open } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/user/0/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="dm-0" ino=64518 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I5188e660c8b5e97eab8f0c74147499ec688f3f19

Bug: 17471434
Bug: 18609318
Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc

The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66

Settings needs to be able to access it when opening developer options.

Address the following denial:
avc:  denied  { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager

Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b

Backup service needs to be accessible to all apps to notify the system when
something changes which is being backed-up.

Bug: 18106000
Change-Id: I8f34cca64299960fa45afc8d09110123eb79338b

Chrome's WebSQL implementation works by running sqlite in the
sandboxed renderer process, and sqlite expects to be able to
call flock() on the database file.

Bug: 20134929
Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Bug: 19941636
Change-Id: I7cc61e058424c856da88f11ff9b259f34cb39dc7

Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c

Commit 85ce2c70 removed hard link
support from create_file_perms, but system_server requires hard
link support for split APKs. Allow it.

Addresses the following denial:

  audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Steps to reproduce:
1) Find the directory "hellogoogle3.splitapk"
2) adb install-multiple -r hellogoogle3_incremental.apk
3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk

Expected:
  2nd APK installs successfully.

Actual:
  2nd APK fails to install.

Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7

On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1