Bug: 26620936 and 27352427
Change-Id: I3d6d2e479d95133693790a97827e45e9dd30bc4a

SELinux label is created for contexthub_service system service.

ContextHub service manages all available context hubs and serves fulfil communication between apps
and underlying context hub hardware.

Change-Id: I8470fedd9c79a00012e1cdb9b548a1b632ba7de6

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

(cherry-picked from commit: 9ed71eff)

Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9

Bug: 27531271
Change-Id: I3c5eee86d09696373ab155f93ba6c85da224cb51

Bug 27325877

Change-Id: Idf2f9ae816e1f3d822a6286a4cf738c14e29a45e

NetworkTimeUpdateService has been registered as a system service, so that
its dump state can be included into bugreports.

Bug: 23983739
Change-Id: I0d364009ba4630dcfd1d22c647195e33eedaa4e0

Bug: 27239233
Change-Id: Icc9d14008d2ff6334a8ec66805f7289aedd5d97d

RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).

The matching CL in frameworks/base is in:
  Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.

Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e
(cherry picked from commit 65b5fde9)

This will allow us to provide a better interface between Java
services (e.g., ConnectivityService) and netd than the current
FrameworkListener / NativeDaemonConnector interface which uses
text strings over a Unix socket.

Bug: 27239233
Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af

Bug: 26945055
Change-Id: I5745d02be9889f6a0e02de12bd8d8f2808de9ce0

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file

Also track the name change of the native binder service.
avc:  denied  { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09
(cherry picked from commit 3ec34ceb)

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

In the same process as voiceinteraction.

Please see related CL ag/852049

Bug: 22860713
Change-Id: I43ebfdba2aafb151dd7db0814570027e1164508a

Register service with servicemanager and name the context.

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

Bug: 26175834
Change-Id: I49244f8e6165ea5a871955f07b3c4ea40cbd7c59

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd

This reverts commit cda36e31.
This will be moved to a device specific file.

BUG: 24555181

Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec

Bug: 21445745
Change-Id: I59fd20f61a5e669e000f696f3738cc11071920aa

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef

- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10

Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e

System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b

Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df

This service will be implemented in packages/services/Telephony.

Bug: 19483786
Change-Id: Ia9a90bc859108d8657cae551d657e2fcdc261f88

Change-Id: I283663caea0ee1597645856fb31f13b26e902315

Change-Id: I283663caea0ee1597645856fb31f13b26e902315

Change-Id: I93a5410fdf3c26399d57f9568a48238968f61b3a

Bug: 19620911
Change-Id: I170b9d46bd49b1ad8bac6e37d0745893d79c14fe

Bug: 19186859

Change-Id: Ic08858f346d6b66e7bfc9da6faa2c6e38d9b2e82

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef

Bug: 18112269
Change-Id: I801a3ecb42a2636b15612ff19a55150d06786363

Change-Id: If7241659a8252d65187673f0d8e87150d5dfb72d

Commit: 9287e0dd272b85b475e33bcbd7d868517a0f98f9 removed the registration
of EntropyMixer with servicemanager, so it no longer needs a context.

Bug: 18106000

Cherry-pick of commit: 7cfef98c

Change-Id: I9aeb35e7ffde75090f4234ea193514fb883b1425