This change adds the support of odm sepolicy customization, which can
be configured through the newly added build varaible:
    - BOARD_ODM_SEPOLICY_DIRS += device/${ODM_NAME}/${BOM_NAME}/sepolicy

Also moving precompiled sepolicy to /odm when BOARD_ODM_SEPOLICY_DIRS
is set. On a DUT, precompiled sepolicy on /odm will override the one in
/vendor. This is intentional because /odm is the hardware customization
for /vendor and both should be updated together if desired.

Bug: 64240127
Test: boot a device with /odm partition
Change-Id: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
Merged-In: Ia8f81a78c88cbfefb3ff19e2ccd2648da6284d09
(cherry picked from commit 45457e3a)

When extraction exif info, certain file formats may requires
parsing the container. Allow mediaprovider to use extractor
to do the parsing.

bug: 73978990
Test: manually test the scenario in b/73978990 and verify
      the Exif is extracted correctly.

Change-Id: I1cd46d793ebc9c38b816a3b63f361967e551d046
(cherry picked from commit 8e3fef3d)

persist.sys.usb.usbradio.config can be read in vendor init scripts.

Bug: 75202311
Bug: 74266614
Test: succeeded building and tested on pixels
Change-Id: Ib07a436dd22b4b445fd114cc1d0df7c3e7a21527

Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.

  https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/

This change allows dexopt operations to 'getattr' those symlinks during
OTA.

Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
Merged-In: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
(cherry picked from commit 88cd813f)

Bug: 74866333
Test: succeeded building and tested with taimen
Change-Id: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
Merged-In: Id19fec168ab266e386ea4c710a4c5cedfc4df33c
(cherry picked from commit 62acbce4)

Allow init the ability to relabel recovery block devices. In the case
where we have recovery as a chain partition, due to its presence in
early mount node, init, in first stage itself would require relabel
permissions for the restorecon operation on recovery block device.

Bug: 73642793
Test: On bootup, recovery partition gets the appropriate se-label.
      Perform OTA on non-A/B device with recovery as chain partition,
      now the recovery partition gets upgraded successfully, now that
      it has the correct se-label.

Change-Id: I370c510320e78ab78c9c55573073415b4983d0f6
Merged-In: I370c510320e78ab78c9c55573073415b4983d0f6
(cherry picked from commit bc14ee3c)

Bug: 64195575
Test: boot a device

Change-Id: I7f7deb5e2c5c6e0a75cf22eb610a7973b5be0d7e
Merged-In: I7f7deb5e2c5c6e0a75cf22eb610a7973b5be0d7e
(cherry picked from commit a47a1c25)

vendor-init-settable should be allowed to ro.enable_boot_charger_mode so
that SoC vendors can set its default value.

Bug: 74421250
Test: succeeded building and tested with taimen
Change-Id: I2859aab29fefb7882989413a089b0de55142d2f1
Merged-In: I2859aab29fefb7882989413a089b0de55142d2f1
(cherry picked from commit 46bc518c)

Bug: 69623109
Change-Id: I7d194a3489fc5ff278cef7bebe9bfe6c39d3b2b8
(cherry-picked from 4a40c592404bdc2032067f4a3fac2f33b9246aa0)

It should instead write to /data/vendor/wifi.

Bug: 36645291
Test: Built policy.
Change-Id: Ib7ba3477fbc03ebf07b886c60bcf4a64b954934a
(cherry picked from commit cc9b30a1)

Add rule to allow Binder call from Bluetooth process to Bluetooth
audio HIDL interface running in audio HAL service process.

Bug: 63932139
Bug: 72242910
Test: Manual; TestTracker/148125
Change-Id: I1981a78bece10b8e516f218d3edde8b77943d130
(cherry picked from commit e8cfac90e8bf14466b6431a21bc5ccd4bf6ca3ea)

Provide read/write access to audioserver for Bluetooth
properties used with A2DP offload.

Bug: 63932139
Bug: 68824150
Test: Manual; TestTracker/148125
Change-Id: I40c932d085ac55bc45e6654f966b2c9d244263d0
(cherry picked from commit 041049bc7a4e29dcca48e2c068b92aa8a8157d90)

This reverts commit 016f0a58.

Reason for revert: Was temporarily reverted, merging back in with fix.

Bug: 74486619
Bug: 36427227
Change-Id: Ide68726a90d5485c2758673079427407aee1e4f2

/odm partition isn't mandatory and the following symlinks will exist on
a device without /odm partition.

  /odm/app ->/vendor/odm/app
  /odm/bin ->/vendor/odm/bin
  /odm/etc ->/vendor/odm/etc
  /odm/firmware ->/vendor/odm/firmware
  /odm/framework ->/vendor/odm/framework
  /odm/lib -> /vendor/odm/lib
  /odm/lib64 -> /vendor/odm/lib64
  /odm/overlay -> /vendor/odm/overlay
  /odm/priv-app -> /vendor/odm/priv-app

This CL allows all domains to access the symlinks, also removes the
Treble compliance neverallows on them because the actual restrictions
should apply to the real path directly.

Bug: 70678783
Test: boot a device
Change-Id: If1522780a13710d8a592272dc688685cbae29f52
(cherry picked from commit dd6efea2)

This reverts commit eeda6c61.

Reason for revert: broken presubmit tests

Bug: 74486619
Change-Id: I103c3faa1604fddc27b3b4602b587f2d733827b1

Also change the neverallow exceptions to be for hal_telephony_server
instead of rild.

Test: Basic telephony sanity, treehugger
Bug: 36427227
Change-Id: If892b28416d98ca1f9c241c5fcec70fbae35c82e

For now, persist.rcs.supported has only vendor-init-settable, but it
turned out that the property should be read by vendor components in
some devices including 2018 Pixels.

Bug: 74266614
Test: succeeded building and tested on a blueline device with
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE=true

Change-Id: I926eb4316c178a39693300fe983176acfb9cabec

This commit adds new SELinux permissions and neverallow rules so that
taking a bugreport does not produce any denials.

Bug: 73256908
Test: Captured bugreports on Sailfish and Walleye and verified
that there were no denials.

Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
Change-Id: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9
(cherry picked from commit daf1cdfa5ac7eca95f3b21034174a495a6760e47)

Sub directories under /odm (or /vendor/odm when there isn't an odm
partition) are labeled so that artifacts under the sub directories are
treated the same as their counterpart in the vendor partition.

For example, /odm/app/* is labeled as vendor_app_file just like
/vendor/app/*.

Bug: 71366495
Test: m -j

Merged-In: I72a14fd55672cd2867edd88ced9828ea49726694
Change-Id: I72a14fd55672cd2867edd88ced9828ea49726694
(cherry picked from commit 2f101551)

When building userdebug or eng builds, we still want to build the user
policy when checking neverallow rules so that we can catch compile
errors.

Commit c0713e86 split out a helper function but lost one instance of
using user instead of the real variant.  This restores that one and
adds it to the neverallow check.

Bug: 74344625
Test: Added a rule that referred to a type defined only
in userdebug and eng and ensure we throw a compile error when building
userdebug mode.

Change-Id: I1a6ffbb36dbeeb880852f9cbac880f923370c2ae