Bug: 63928580
Test: Manually tested.

Change-Id: If6bb10cb7c009883d853e46dcdeb92cd33877d53

Init tries to write /proc/sys/vm/min_free_order_shift but fails due to
a SELinux denial.  This gives the file a new label and gives init the
ability to write it.

Test: Build and booted Sailfish (a couple of days ago).
Change-Id: Ic93862b85c468afccff2019d84b927af9ed2a84d

* changes:
  Allow mediaextractor to load libraries from apk_data_file
  Allow scanning extractor library directory

vendor_init doesn't have permissions to read rootfs labeled files, but
needs to read /vendor_file_contexts to do restorecon correctly.  This
file is a file_contexts file, so labeling it as such seems appropriate.

Test: bullhead + vendor_init doesn't hit this audit
Change-Id: I1f2cf7dd7de17806ac0f1dfe2483fb6d6659939b

This is an experimental feature only on userdebug and eng build.

Test: play MP4 file. install & uninstall media update apk.
Bug: 67908547
Change-Id: I513cdbfda962f00079e886b7a42f9928e81f6474

so we can dlopen the libraries that are there

Test: build&run

Merged-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855
Change-Id: Ia1fa1fd65295cffe6c8a3d31db53bd3339a71855

Bug: 64222712
Test: manual
Change-Id: Ica77ae3c9e535eddac9fccf11710b0bcb3254ab3

Add sepolicy rules to grant wificond permission to use SIOCSIFHWADDR
ioctl. This permission is needed to dynamically change MAC address of
the device when connecting to wifi networks.

Bug: 63905794
Test: Verified manually that wificond can dynamically change MAC
address.

Change-Id: If2c6b955b0b792f706d8438e8e2e018c0b4cfc31

getattr for trace_data_file:dir permissions was missing, impacting
functionality.

Bug:68126425
Test: Traceur functionality is properly working
Change-Id: I2c8ae5cf3463a8e5309b8402713744e036a64171

And grant appropriate permissions to more granular types.

Bug: 29319732
Bug: 65643247
Test: adb bugreport; no new denials to /proc or /sys files.

Change-Id: Ied99546164e79bfa6148822858c165177d3720a5

Test: atest cts/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
Change-Id: Id9adcec4db2e55f2e41ebd1b018ebc40aa0be404

Now that init no longer uses it.

Fixes: 70846424
Test: no neverallows tripped
Change-Id: I5c22dd272b66fd32b4758c1dce659ccd98b8a7ba

Fixing denials that stopped traceur from being able to write to
debugfs_tracing. Also cleaning up general find denials for services that
traceur doesn't have permission to access.

Additionally, labeling /data/local/trace as a trace_data_file in order
to give traceur a UX friendly area to write its traces to now that it
will no longer be a shell user. It will be write/readable by traceur,
and deletable/readable by shell.

Test: Traceur functionality is not being blocked by selinux policy
Bug: 68126425
Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36

This util allows init to turn off the screen
without any binder dependencies.

Bug: 70846424
Test: manual + init use
Change-Id: I4f41a966d6398e959ea6baf36c2cfe6fcebc00de

These property sets will be long term restricted with
compatible_property but allowing them now eases the transition.

Bug: 62875318
Test: boot marlin without audits for setprop in vendor_init
Change-Id: I25ab565bbf137e382c1dfc3b905b38403645f1d2

Change-Id: I37695d6c952b313e641dd145aa1af1d02e9cc537

Sepolicy for the usb daemon. (ag/3373886/)

Bug: 63669128
Test: Checked for avc denial messages.
Change-Id: I6e2a4ccf597750c47e1ea90c4d43581de4afa4af

Bug: 65643247
Test: walleye boots with no denials from priv_app.

Change-Id: I9a7faf1253bdd79d780c2398c740109e2d84bc63

Bug: 65643247
Test: manual
Test: browse internet
Test: take a picture
Change-Id: I9faff44b7a025c7422404d777113e40842ea26dd

system_update service manages system update information: system updater
(priv_app) publishes the pending system update info through the service,
while other apps can read the info accordingly (design doc in
go/pi-ota-platform-api).

This CL adds the service type, and grants priv_app to access the service.

Bug: 67437079
Test: Build and flash marlin image. The system_update service works.
Change-Id: I7a3eaee3ecd3e2e16b410413e917ec603566b375

"/n" --> "\n"

Fixes: 72225980
Test: build (this is a build test)
Change-Id: Iffd7241b4d7b9b429fff34dc2e25baad32d8008d

Bug: 63927601
Test: Enable metadata encryption in fstab on Taimen, check boot success.
Change-Id: Id425c47d48f413d6ea44ed170835a52d0af39f9f

Test: esdfs should be mountable and usable with selinux on
Bug: 63876697
Change-Id: I7a1d96d3f0d0a6dbc1c98f0c4a96264938011b5e

Test: boots
Test: hwservicemanager can read these files
Bug: 36790901
Change-Id: I0431a7f166face993c1d14b6209c9b502a506e09