Test: I solemnly swear I tested this conflict resolution.
Change-Id: Icf1e8ad95c40f497c731fa03dfd09d8b2c132aca

am: ae342662

Change-Id: I610841f42f3cbb57d2b8d5df5758191a351d10fc

am: 458b4593

Change-Id: Ieb0afbe6fb97da294fe44c075643c62ce24efbdc

am: 6116489c

Change-Id: Ie97e5fba4b46293888ad34c54fa0673909653651

am: 53b987aa

Change-Id: I3813dfca0efb4c933881b9f5ddddb5bc033c4cf1

am: 1f284f4b

Change-Id: Ic767b5bc0320faed4733be10ff09103dccf4e929

am: 7297ea2a

Change-Id: I37c6c64905e01ff4bf8d7a72c05fac3912dea793

am: a12aad45

Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug: 36588803
Change-Id: I1f46b438050d95cebd2fcc495938192305fc9fc9

am: 366be191  -s ours

Change-Id: I1ed0ac5e1836c3f995f13082e5f144e8dc477d03

am: feb28130

Change-Id: I8f436b73a2ce7ffca91c192df35c827447253de3

am: 7f2fb741

Change-Id: I38c91b9f3fc127313918bbd74199013ae7910f2b

Test: build
Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11

am: 0ba84942  -s ours

Change-Id: Ie42095397a6173d0d0ce91c007bfe3298f64bbfe

am: 664743bd

Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb

am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e

am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

Platform SELinux policy may be updated without a corresponding
update to non-platform policy.  This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.

Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it.  Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.

Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file.  Removed private type with no effect.  Removed
public type without corresponding mapping entry causes build to fail.

Change-Id: I7994ed651352e2da632fc91e598f819b64c05753

am: 7add3d05  -s ours

Change-Id: I1fe69ed4c6d15720a2f64bc81a4d40b3d9582853

am: f9da0cba

Change-Id: I18e469059df1e8704f6358a12b012932a39303cd

am: 5fbb120b

Change-Id: Idf655a43a2258b56f8c8b1282dd6c430d7771cf6

am: 3e5bb807

Change-Id: I01f99884b0f8b06fa4938a606345c33918d8b295

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62
(cherry picked from commit 7fc2b564ce2af2b5f27739a2d9bbb535814fc89e)

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.

Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e
(cherry picked from commit 5fd60597d7d04c1861e7d8f3938384efb0384386)

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
(cherry picked from commit 3e5bb807)

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8

am: fcfeb3e0

Change-Id: Ib50c35e368764f7acb87e23c1a0091ad7eeb1fd4

am: e0e2b35b

Change-Id: I607a7bddad8d3d02b9df3d5a4fb826a716a1a967

am: d5d98a4d

Change-Id: I1dbcbcbb940fdcf94e2634f43d933c91bb13ce41

am: 55efefc3

Change-Id: Ib67a9685e41019a290c903dc5b733d405ddddf61