Allows the following denials:
     avc: denied { use } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:r:tombstoned:s0 tclass=fd permissive=1
     avc: denied { append } for pid=9099 comm="mediacodec" path="/data/tombstones/tombstone_08" dev="sda35" ino=877473 scontext=u:r:mediacodec:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file permissive=1

Bug: http://b/36156624
Test: killall -ABRT media.codec
Test: killall -ABRT media.extractor
Change-Id: I3dde1879b44e3e63c747a3ff8dd4bf213cb8afb6

Test: Build and boot Marlin
Test: See the following in the logs:
01-01 02:10:28.756  1345  1345 D SELinuxMMAC: Using policy file /system/etc/selinux/plat_mac_permissions.xml
01-01 02:10:28.787  1345  1345 D SELinuxMMAC: Using policy file /vendor/etc/selinux/nonplat_mac_permissions.xml
Bug: 36003167

Change-Id: If17490a2a5d94bfea1fa6d282282d45d67e207e9

Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
      /vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414

Change-Id: Ide8498b3c86234d2f93bb22a7514d132c33067d6

Recovery should always use monolithic policy. Thus, we don't need
split policy files *.recovery.cil. This commit removes these targets
and rolls up the relevant parts of the targets into
"sepolicy.recovery" which is the target which produces monolithic
policy for recovery.

Test: make clean && make sepolicy.recovery, then confirm that
      repolicy.recovery is identical to the one produced prior to this
      change.
Test: Clean build, flash, device boots up fine, no new denials. Device
      also boots into recovery just fine, no denials.
Bug: 31363362

Change-Id: I7f698abe1f17308f2f03f5ed1b727a8b071e94c7

This reverts commit 4cb628a3.

Reason for revert: recovery image on marlin & sailfish no longer
contained *property_contexts and thus recovery failed to boot.

Test: Clean build, flash, sailfish and bullhead boot up just fine,
      and boot into recovery just fine.
Bug: 36002573
Bug: 36108354
Change-Id: I2dffd80764f1a464327747d35a58691b24cff7a7

The following HAL methods use file descriptors to write dump
info comprising audioflinger debug dump:

IDevice.debugDump
IEffectsFactory.debugDump
IStream.debugDump

Bug: 36074936
Test: check contents of 'adb shell dumpsys media.audio_flinger'
      on -userdebug builds

Change-Id: Ie2bec95c6b73c6f10941e2b0a95a25d6a7a6e4c1

Test: Build and boot Marlin and Bullhead.
Test: Contexts split between /system and /vendor on Marlin.
      Remains stored in / on Bullhead.
Bug: 36002816
Bug: 36002427

Change-Id: I922bcbc0cc2c08e312cf942ee261951edfa8d4e2

This makes the build system, for TREBLE devices only, place
plat_property_contexts under /system/etc/selinux and
nonplat_property_contexts under /vendor/etc/selinux. For other devices
these files are placed under /, same as before.

Test: *_property_contexts in correct locations when
      PRODUCT_FULL_TREBLE is set to true and when it is set to false.
Bug: 36002573

Change-Id: I7e30e64918bb3ee671fa8c7a2e30ed96a9cc1ad7

Let mediacodec and mediaextractor talk directly to tombstoned to
generate tombstones/ANR traces.

Bug: http://b/35858739
Test: debuggerd -b `pidof media.codec`
Change-Id: I091be946d58907c5aa7a2fe23995597638adc896

This adds build targets for outputing precompiled kernel policy usable
on devices with policy split between system and vendor partitions. On
such devices, precompiled policy must reside on the vendor partition.

Because such devices support updating these partitions independently
of each other, the precompiled policy must reference the system
partition's policy against which it was compiled. This enables init to
establish whether the precompiled policy is valid for the current
combination of system and vendor partitions.

The referencing is performed by both the system and vendor partitions
including the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil). Only the when the digest is the same on both
partitions can the precompiled policy be used.

Test: plat_sepolicy.cil.sha256 contains exactly the hex form of the
      SHA-256 digest of plat_sepolicy.cil
Test: plat_sepolicy.cil.sha256 is identical
      precompiled_sepolicy.plat.sha256.
Bug: 31363362
Change-Id: I9771e1aa751e25bba6e2face37d68e0ae43b33a3

With the plat/nonplat policy split, nonplat_seapp_contexts should still
be checked against the plat_seapp_contexts_neverallows during build
time to ensure no violations occur.

Test: stock aosp_marlin builds.
Test: name=foo.bar seinfo=default fails (as expected) in nonplat policy
Test: name=foo.bar seinfo="" fails (as expected) in nonplat policy
Bug: 36002816
Change-Id: I95b2c695b23e2bdf420575d631e85391e93fc869

perf_event_max_sample_rate is needed to be read for native profiling,
otherwise CTS test can fail on devices with kernel >= 4.4. Before this CL,
the file is not readable from untrusted_app domain. This CL makes it readable
from both shell domain and untrusted_app domain.

Bug: http://b/35554543
Test: build and test on marlin.
Change-Id: Id118e06e3c800b70a749ab112e07a4ec24bb5975

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

Note: The existing rules allowing socket communication will be removed
once we  migrate over to HIDL completely.

(cherry-pick of 2a9595ed) 
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615

Bug: 35979722
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Test: no more avc errors on debugfs
Change-Id: I91d98428aaec915b3206535559a0c096e6de1603

We need more time to investigate the effect that this change will
have on DRM solutions. Until the investigation is done, revert.

This reverts commit 38d3eca0.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Change-Id: I5ad69ef5ee12081ce7fc0a8440712f7f8f77cf16
Test: policy compiles.

Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d

Drop support for execmod (aka text relocations) for newer API versions.
Retain it for older app APIs versions.

Bug: 30146890
Bug: 20013628
Bug: 35323421
Test: policy compiles.
Change-Id: Ie54fdb385e9c4bb997ad6fcb6cff74f7e32927bb

This should only be granted to legacy apps, not to newer API versions.

Change-Id: Ia4b9b3a3cf33aa31bcad2fe15d8470c50132e2a9
Test: policy compiles.

Fix restorecon failue on second call

Bug: 35803475
Test: angler boot with UART on and set sys.wifitracing.started to 0 after boot
Change-Id: Ia5496fcba031616297fa0a4c0f45e3ece0b4d662

- necessary for analyzing early boot stage

bug: 35949319
Test: check captured bugreport for ro.boottime.* in SYSTEM PROPERTIES
Change-Id: I8826abd19ac00f169841b4a7ceeb68be3405d1b9

Label /proc/misc and allow access to untrusted_apps targeting older API
versions, as well as update_engine_common.

/proc/misc is used by some banking apps to try to detect if they are
running in an emulated environment.

TODO: Remove access to proc:file from update_engine_common after more
testing.

Bug: 35917228
Test: Device boots and no new denials.
Change-Id: If1b97a9c55a74cb74d1bb15137201ffb95b5bd75

Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.

Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f

This moves the CIL files comprising the split sepolicy to the
directories/partitions based on whether the file is part of
platform/system or non-platform/vendor. In particular:
* plat_sepolicy.cil is moved to /system/etc/selinux,
* nonplat_sepolicy.cil is moved to /vendor/etc/selinux, and
* mapping_sepolicy.cil is moved to /vendor/etc/selinux.

Test: Device boots, no additional denials. The test is performed both
      for a device without the CIL files and with the three CIL files.
Bug: 31363362

Change-Id: Ia760d7eb32c80ba72f6409da75d99eb5aae71cd9

The new wifi HAL manages the wlan driver and hence needs to be able to
load/unload the driver. The "wlan.driver.status" is used to indicate the
state of the driver to the rest of the system. There are .rc scripts for
example which wait for the state of this property.

Denials:
03-01 13:31:43.394   476   476 W android.hardwar: type=1400
audit(0.0:7243): avc: denied { read } for name="u:object_r:wifi_prop:s0"
dev="tmpfs" ino=10578 scontext=u:r:hal_wifi_default:s0
tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=0
03-01 13:31:43.399   476   476 E libc    : Access denied finding
property "wlan.driver.status"

Bug: 35765841
Test: Denials no longer seen
Change-Id: I502494af7140864934038ef51cb0326ba3902c63

Bug: 33075886
Test: N/A
Change-Id: I1654ee20fa6125cf3ed5c0796e85f289db5a9745

This starts with the reduction in the number of services that
ephemeral apps can access. Prior to this commit, ephemeral apps were
permitted to access most of the service_manager services accessible
by conventional apps. This commit reduces this set by removing access
from ephemeral apps to:
* gatekeeper_service,
* sec_key_att_app_id_provider_service,
* wallpaper_service,
* wifiaware_service,
* wifip2p_service,
* wifi_service.

Test: Device boots up fine, Chrome, Play Movies, YouTube, Netflix, work fine.
Bug: 33349998
Change-Id: Ie4ff0a77eaca8c8c91efda198686c93c3a2bc4b3