This reverts commit 502e43f7.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

The permission was removed in
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/
but is still needed in order to optimize application code.

Denial example:

10-26 16:29:51.234   894  1469 D PackageManager.DexOptimizer: Running
dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar
pkg=com.google.android.gms isa=[arm64]
dexoptFlags=boot_complete,public,secondary,force,storage_ce
target-filter=quicken

10-26 16:29:51.253  2148  2148 W Binder:695_5: type=1400 audit(0.0:39):
avc: denied { read } for name="0" dev="sda35" ino=917506
scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file permissive=0

Test: adb shell cmd package reconcile-secondary-dex-files
com.google.android.googlequicksearchbox
adb shell cmd package compile -m speed --secondary-dex
com.google.android.gms

Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56

Bug: 65643247
Test: adb sideload an ota package
Test: mount /system
Test: view recovery logs
Test: run graphics test
Test: run locale test
Test: wipe data/factory reset
Test: factory reset from Settings app
Tested on sailfish; no selinux denials to sysfs type are observed.

Change-Id: Ic8487d53d90b7d1d050574e0b084627d1b6abdba

Addresses these denials when wiping data on sailfish:

avc:  denied  { open } for  pid=488 comm="mke2fs_static"
path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0
tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=488 comm="mke2fs_static"
name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=488 comm="mke2fs_static"
name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1

Test: Wipe data/factory reset -> no selinux denials
Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc

AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

10-23 16:40:43.763  7991  7991 I auditd  : type=1400 audit(0.0:79): avc: denied { open } for comm="vold_prepare_su" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 67901036
Test: Boot device, create user, create files, remove user, observe logs

Change-Id: I8d33dfd2a0b24611773001f20101db40aeb13632

am: 0187b231

Change-Id: Id51afcd1de3c46463120a205624d77c33f636682

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

am: 1b223839

Change-Id: I5502508d7548a2772dd56155c9c8e08814fce5ef

am: 1ff4148c

Change-Id: I6dc8530628027cdafd7929cd9ed30bb6c2e5a1bc

am: f040f632

Change-Id: I2f475ad00ca02367c89316f504ece42814538229

The following error is occurring on master:

10-23 16:24:24.785 shell  4884  4884 E SELinux : seapp_context_lookup:  No match for app with uid 2000, seinfo platform, name com.google.android.traceur
10-23 16:24:24.785 shell  4884  4884 E SELinux : selinux_android_setcontext:  Error setting context for app with uid 2000, seinfo platform:targetSdkVersion=23:complete: Success
10-23 16:24:24.785 shell  4884  4884 E Zygote  : selinux_android_setcontext(2000, 0, "platform:targetSdkVersion=23:complete", "com.google.android.traceur") failed
10-23 16:24:24.785 shell  4884  4884 F zygote64: jni_internal.cc:593] JNI FatalError called: frameworks/base/core/jni/com_android_internal_os_Zygote.cpp:648: selinux_android_setcontext failed
10-23 16:24:24.818 shell  4884  4884 F zygote64: runtime.cc:535] Runtime aborting...

Bug: 68126425
Bug: 68032516

This reverts commit 714ee5f2.

Change-Id: I7356c4e4facb1e532bfdeb575acf2d83761a0852

Test: Boot device, observe logs
Bug: 63740245
Change-Id: I1068304b12ea90736b7927b7368ba1a213d2fbae

Addresses this denial during CtsBionicTestCases:
avc: denied { getattr } for path="/proc/version" dev="proc"
ino=4026532359 scontext=u:r:shell:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 68067856
Test: cts-tradefed run commandAndExit cts -m CtsBionicTestCases
--skip-all-system-status-check --primary-abi-only --skip-preconditions
No more denials to /proc/version
Change-Id: I7e927fbaf1a8ce3637e09452cbd50f475176838e

am: 81d8b0ee

Change-Id: I5844b79cb367936ec3c02f343f5b90759c29cbcc

am: 89b41f32

Change-Id: I4544a3f5add13c144b633561624fa1bebfeac29c

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0
Merged-In: I88219e32520006db20299468b7a8c7ce0bfa58e0
(cherry picked from commit fa6c3d7c)

This is no longer used and violates Treble data separation.

Bug: 68057930
Test: verify on Sailfish that /data/misc/audiohal doesn't exist
    This dir appears to be Qualcomm specific and should not have
    been defined in core policy.

Change-Id: I55fba7564203a7f8a1d8612abd36ec1f89dc869d

am: d1467ad8

Change-Id: I40639979883bf2e7b1d57d6c23abfa5da704eb6f

am: 917cf072

Change-Id: Ifa8e92e90810eaae408254c949aa86411730e8d2

am: 8dabc2ce

Change-Id: Id5b3e446c5ac050fc73beb5a7473789ab59d2baf

am: 4bd0c6fc

Change-Id: Iacb037f79b4af9c2024fbb54484205b0bc2753c9