health@2.0 is a service used by BatteryService in framework.

Test: health hal works

Change-Id: I6cccf3ab085686fd67b0e048aaf201e64ec311c4

am: 29c909ff

Change-Id: Iba58bad1f82fbbb2221fbdb007a5c10d83925dfa

am: a35083e0

Change-Id: Ice4fb08c6d3342d8bfd8afccbbcc939bed4b9eee

am: 28dca27b

Change-Id: Ie7b9d89fbf71c016af62cc1c31f5732e02549eeb

am: 5b4bea43

Change-Id: I0400af99bf5467d5035afa2111b2d494814f9bed

Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
 - update_verifier to read sysfs_dm dir and file at
   /sys/devices/virtual/block/dm-X.
 - vold to write sysfs_dm.

Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
      marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95

am: b59eadbd

Change-Id: I5646f89c9ddfac78e663d4677275390192db1da1

am: 9aa56dfb

Change-Id: I6da11d0ea1f5689b37a9d08e3534e6bc80b870be

am: 8f6a5f57

Change-Id: Ib476fa26393087705c1c9f8f9e0f472b4f6e4d4c

am: 62d3b4f1

Change-Id: I9ede1a3913e1ee465ac58cc2e56af521bd3e5530

isolated_apps are intended to be strictly limited in the /sys files
which can be read. Add a neverallow assertion to guarantee this on all
Android compatible devices.

Test: policy compiles.
Change-Id: I2980291dcf4e74bb12c81199d61c5eb8a182036c

am: 33edd896

Change-Id: Iba4aba8833f3543d8e28c5d469667bbeb09b860e

am: 5dba5b2a

Change-Id: I1f75837ba99e6dd1961a911a9ab072e26d24837d

am: 17491f6b

Change-Id: I32dfe7fd082e3d7a60f0787f2c0d559d8ce252c0

am: 9cac761d

Change-Id: If420befeb2ccd04e354debc8408c13edcf97dbd1

am: f3f194c0

Change-Id: Ifabe0a78658b2c903c8a2face0102b816427e3e2

am: d874f049

Change-Id: I0f27c558f5394f71a987a1b4b3c8de05e6348841

am: 7d610705

Change-Id: I3b770b1fb2bf8efdc45ba85536e2f990e79d99dc

am: 0018d9a6

Change-Id: I19aa72d70b6210b6488073d9ab46d96ec674e253

am: f7196a88

Change-Id: Ib53dab06b2eae107411260d852227211bfb2ff69

Comments indicate that these permissions are used to access already
open FDs. However, getattr of a directory is clearly not necessary
for that, search of system_data_file is already granted to domain
and following symlinks is clearly not needed for reading an already
open FD.

Bug: 34980020
Test: boot marlin. Test drm with google play movies, no related
    denials
Test: cts-tradefed run cts -m CtsMediaTestCases -t \
    android.media.cts.MediaCasTest
    5/6 tests fail with no related selinux denials. The same 5/6
    also fail in selinux permissive mode.
Change-Id: Ib4b9a1e18bdc479d656b2d64917bbc0358515525

am: dd517519

Change-Id: I3f8f953b16879d4b4e826412f3d23096cefee1a2

am: 24cc484f

Change-Id: Ibc0c3ef801f0ec115530e5ff4e8f5ba8b88cd4ef

am: bc1c5453

Change-Id: I7c59d28fb32d5785a88e3678ea85a0ae43003302

Bug: 64687998
Test: Builds.
Change-Id: I7a5b65d34382b8b76e55c523811a0f17dd9c1051

Bug: 65643247
Test: sailfish boots, can take pictures, use browser without denials
form kernel domain.
Change-Id: I4fc0555f0b65fc5537e0b2765142b384ed0560c8

am: 5b322d4e

Change-Id: Ie584e64322009a53672cc39b671090c4523889ef

am: a08b925a

Change-Id: Iadeb02947c4aefd1821b8e3294ad9fd801f8b0c1

am: 7242f168

Change-Id: Iaf37d2a4391f64fb76f1a2a51aa9077ba81be224

am: dcee57b8

Change-Id: I99ec6c055c8f6f04be90a4710ae278ba676f741d

am: 6eef5589

Change-Id: Ia61c0391c0584336bfdbe9df6f63a49275799ab3

am: cbb0543d

Change-Id: Ibf8ee8c6da1fbb3358179044c99861905751884c

am: ea17be60

Change-Id: I04573b201588661a98b682224624bb804ec688db

am: e22e99a6

Change-Id: I7e345f52865c834bada137d773cbcd869825946c

Merge "Revert "Ensure /sys restrictions for isolated_apps"" am: 3e60e38a am: 89185f5a am: 3f5bc502
am: 0011fd40

Change-Id: I24fcec7bb6943864173194a64ef7027cd52533a6

am: 3f5bc502

Change-Id: I0c442961eab964595ad072ec1a4308a4cc2c6888