am: efb5a5ba

Change-Id: Ie2461f25e7ac409837c84d7f467b63d4f23d918f

am: c8338f26

Change-Id: Id3db0306763ca605dcdf11409f3b591d6ceda312

am: 8745ac43

Change-Id: I6816eea55ad110d7aeea43ec3088452b38b7ccc7

am: 88e4be54

Change-Id: I064f2becfde44f300ddf9d36802972b35c54e152

Logs show that only dumpstate requires access.

avc: granted { read open } for comm="screencap" path="/dev/ion"
dev="tmpfs" ino=14324 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=14324 ioctlcmd=4906 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file

Grant ion permission to dumpstate which uses it for screencap
feature.

Bug: 28760354
Test: build. Check logs.
Change-Id: I6435b7dbf7656669dac5dcfb205cf0aeda93991b

am: 4b7aa909

Change-Id: I222af35247d5fc4d99f2cdeca79f86cd0a815739

am: 685db0b2

Change-Id: I5c4ae29b9623ee04f0409c5f2e4da9fb325a430f

am: 9ce812fb

Change-Id: Ie71e8eb97e3ace63a230fcd70b81961d1a8f4884

am: e39d5c87

Change-Id: Ibdb49f80b11fca40f5c4de7a92780be26b3280eb

Merge "Allow only system_server to read uid_time_in_state" am: 439364d2 am: e96aad09 am: 3ce2c6f8
am: 2f0d0496

Change-Id: I0a3b2c00a083bebdf658cd3695d51ed7af21b1ca

am: 902dbafb

Change-Id: I2b0c214e4e6842c7e9eb56a28d014c814a9c8670

am: 3ce2c6f8

Change-Id: Ic54d118a477d1827952e1c54216ff01838d985d7

am: 1a1cefcc

Change-Id: I93ad1ad5f769f68c856e7a3cfcc0bcd8792633f2

am: e96aad09

Change-Id: I0742836c6b613afeab2dcf6d59c37dd9787dc91a

am: 2af7c84f

Change-Id: Id52f1fd3e79a0a36df42abca24c93b28b277c570

am: 439364d2

Change-Id: I726672b2e3379e2e53d3c6b26482147f11d06d8e

am: 056710b3

Change-Id: Id44e16b03b1b5398bb4fd73bc4950e5da8acd5b7

Logs indicate no usage of these permissions.

Bug: 28760354
Test: check logs.
Change-Id: I3d75aea6afd4e326f705274ab2790e5d0bbdb367

Logs indicate apps, system_server, and runas are the only
domains that require this permission.

Bug: 28760354
Test: check logs.
Change-Id: I93dc53ec2d892bb91c0cd6f5d7e9cbf76b9bcd9f

Bug: 62706738
Bug: 34133340
Test: Check that uid_time_in_state can't be read from
the shell without root permissions and that
"dumpsys batterystats --checkin| grep ctf" shows frequency
data (system_server was able to read uid_time_in_state)

Change-Id: Ic6a54da4ebcc9e10b0e3af8f14a45d7408e8686e
(cherry picked from commit 4dc88795)

am: 3afd0258

Change-Id: I5b44585eaf29c8a68e3ea7c0ddfc1e8d8ea8e127

am: 2d74ecde

Change-Id: I553c794c40406da42f36d64fdd84684d157bccad

am: e8bf363d

Change-Id: Ic3e7a595e2878becc5ecf81631e8088f487c51e2

am: 06aee357

Change-Id: Ib49585b7e3a39969ebc23113c2b3ccdb04602cb5

A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e6270)

Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev am: 4f077656  -s ours
am: c88753c1  -s ours

Change-Id: I88869af7eaa026873744850033daba5ee31939ef

Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev
am: 4f077656  -s ours

Change-Id: Ife60e3ca9dd346ca927e1fafdceef2fe71d33499

Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev

am: 6907f574

Change-Id: I2b073252ccdcd30fce523a83ba43dea14eeaad3b

am: 243c46cc

Change-Id: I08aa08c6e23c0e78569d06c4e4e36a27dd861459

avc: denied { read write } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { setopt } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { getattr } scontext=u:r:ipacm:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket
avc: denied { create } for scontext=u:r:system_server:s0
tcontext=u:r:system_server:s0 tclass=netlink_netfilter_socket

Bug: 29337859
Bug: 32163131
Test: adb shell getenforce
Enforcing
adb shell dumpsys connectivity tethering
Tethering:
  ...
  Log:
    ...
    06-28 11:46:58.841 - SET master tether settings: ON
    06-28 11:46:58.857 - [OffloadController] tethering offload started
And logs show some signs of happiness:
    06-28 11:46:58.853   816   947 I IPAHALService: IPACM was provided two FDs (18, 19)
    06-28 11:46:58.853  1200  1571 I zygote64: Looking for service android.hardware.tetheroffload.control@1.0::IOffloadControl/default
Change-Id: I0c63bd2de334b4ca40e54efb9df4ed4904667e21

This is a revert of http://ag/741434

Bug: 38259874
Test: manually, using ConfirmCredential sample app.
Change-Id: I0cbb955110935de605cb90e26a6a1d851a93a4b8