Platform SELinux policy may be updated without a corresponding
update to non-platform policy.  This is meant to be accomplished by
maintaining a compatibility mapping file which will be built along
with the current platform policy to link older non-platform policy.

Introduce an example vendor policy built from 26.0 public policy and
make sure that the current platform policy and mapping file, for that
version, build with it.  Add this as a dependency for the
selinux_treble_tests, which are meant to ensure treble properties,
ultimately to provide this compatibility guarantee.

Bug: 36899958
Test: Current platform policy builds with oc-dev vendor policy and
oc-dev mapping file.  Removed private type with no effect.  Removed
public type without corresponding mapping entry causes build to fail.

Change-Id: I7994ed651352e2da632fc91e598f819b64c05753

This CL was accidentally reverted a second time by commit:
cb5129f9.  Submit it for the third,
and final, time.

Bug: 62102757
Test: Builds and boots.

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
(cherry picked from commit 3e5bb807)

am: fcfeb3e0

Change-Id: Ib50c35e368764f7acb87e23c1a0091ad7eeb1fd4

am: e0e2b35b

Change-Id: I607a7bddad8d3d02b9df3d5a4fb826a716a1a967

am: d5d98a4d

Change-Id: I1dbcbcbb940fdcf94e2634f43d933c91bb13ce41

am: 55efefc3

Change-Id: Ib67a9685e41019a290c903dc5b733d405ddddf61

am: 77285737

Change-Id: I19c2b7107293fbe903cd6601f36b85aa3d099f80

am: 4e6f67fb

Change-Id: Ia3fe7f33ca0dc2f18040d3128ce84f0878fc8d63

am: 90ae4f6b

Change-Id: Ia793ed369cc05c123fb013fd10e8b19f006d92ff

am: f4ce8f6c

Change-Id: Ie0bc01a5b8acc6b79a3a31d5807f46f1e1df8c6c

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b3)

Commit: e58a8de5 added a new type
which has no analogue in 26.0.  Record it as such.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6b6d2aa64e0ac2c39c8d0427d333e6c7fc2b0bb1

Commit: 86cb5215 gave /dev/memcg a
new label, but also explicitly prohibited access to vendor domains.
Add the type to the 'new types' and don't map it to any other type
for backwards compatibility.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I8902716830b162ead69834544ace9e02a94c65b4

Commit: 38f0928f added a type for a
new system service.  This service did not exist previously, so mark
the type as not needing any compat entry.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I52d8e144c614b27f5c52fa99be6cfac87159bbcd

Commit: 78e595de added a new hwservice,
which replaced a previous system service.  This effectively means we are
deleting one object and creating a new one, so no compatibility mapping
should be necessary since previous vendor processes trying to access the
service will not be able to find it now independent of policy.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I6882d968dccb55561379e940f6ecb62902bb1659

Bug: 37896931
Test: none, just update prebuilt.
Change-Id: Id940d1c2bc46deab1eb49bacebbb41069e2034e4

When moving SELinux rules from file_contexts to genfs_contexts, we
added some genfs rules to label specific files.  It turns out that one
of those files was the prefix of some other files, and since genfs
does prefix-labeling, those other files had their labels changed.

To fix this, we are changing the whole tracefs /instances/wifi from
debugfs_tracing_instances to debugfs_wifi_tracing (a few of the files
already had this label).  This simplifies the rules.

Bug: 62413700
Test: Built, flashed, and booted two devices.  Verified that the files
have the correct context and that wifi, camera, and traceur work.

Change-Id: Id62db079f439ae8c531b44d1184eea26d5b760c3

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"

am: 8b0f89e4

Change-Id: I6a75dc96a8e5994f22a8776a413d8a6a01da4fdd

Merge "domain_deprecated: remove tmpfs dir access am: ca5bb337 am: 453f4a51 am: 407e9457 am: 8b0f89e4"

Merge "Merge "Preserve attributes needed for CTS" into oc-dr1-dev am: 1eff6417 am: d006aea0  -s ours"

am: 8b0f89e4

Change-Id: I02aefb28ad044dc7d85956156fde638c101bdbe5

Merge "Merge "Preserve attributes needed for CTS" into oc-dr1-dev am: 1eff6417 am: d006aea0  -s ours"

am: d006aea0  -s ours

Change-Id: Ie76a6c836163a8755507232b5b493a24a7b84da8

am: d006aea0  -s ours

Change-Id: Ifce7d19ce6469f5526a2e4d2b40db07c6524e368

Merge "Merge changes from topic 'am-52eed220ada34c3aba959fcbb20dfeab' into oc-dr1-dev-plus-aosp am: c436013b  -s ours"

am: c436013b  -s ours

Change-Id: I8af59aba167dfd27cd4773eb573978d539dec1ff

am: c436013b  -s ours

Change-Id: I89a0c3cfab8e44218b7978c32c577717df522069

Commit: b8f7a408 removed three
attributes from public policy.  These attributes could be assigned
to vendor types, and so need to be kept in policy when combined with
vendor policy of that version.

Bug: 62573845
Test: None. Prebuilt change only.
Change-Id: I7d71ef7795f8b82c214c2ef72478c3ca84d1869c

am: 407e9457

Change-Id: If277928809ec2bcaf7f72ef9cba5dd5d45d333ca

am: 453f4a51

Change-Id: Iff9292a4a92fdd78eebdf2ec5fab8d571fc755f6

am: ca5bb337

Change-Id: I185d127216ee72821c64daf31601fdcbe1a9c069

am: 1eff6417

Change-Id: I095df5cbd680d495fac54186ab16e2287d454c3a