This change extends the recovery mode modprobe sepolicy
to support loadable kernel module in normal mode by using
statement below in init.rc:

exec u:r:modprobe:s0 -- /system/bin/modprobe \
    -d /vendor/lib/modules mod

Bug: b/35653245
Test: sailfish  with local built kernel and LKM enabled
Change-Id: I827e2ce387c899db3e0e179da92e79c75d61f5ae

am: 81e48f97

Change-Id: I0f30763ac163bb5032d296097b346eec10ed2dc2

am: adabd898

Change-Id: I1eb82bf76bfef80bbb51e636d166e55a30b234bf

am: 987014c8

Change-Id: I97a2e56097ca2f4a23ae682afcb86c47d9fd8749

am: f91f369d

Change-Id: I58593c82cd9b7b1dc7fcdfa8916f4bf55a3d9ab4

am: 5d8fcf3b

Change-Id: I5f88b48df906acb9381dc853d61dcd5ef8d5e4e4

am: 73a6f38b

Change-Id: I24d9be712209ee22a33ae858001c4e38e0eb763a

am: f535a40d

Change-Id: I66da4d14a2388b1241b755280682f6e7d93d3830

am: e1742ef0

Change-Id: I007ae4064a8daf690b15bc5196131169727cbec9

am: 6b558dcb

Change-Id: I82c412038e43bb343dc355c9d1e56a11f6da6542

This change associates all domains which are clients of Allocator HAL
with hal_allocator_client and the, required for all HAL client
domains, halclientdomain.

This enables this commit to remove the now unnecessary hwallocator_use
macro because its binder_call(..., hal_allocator_server) is covered by
binder_call(hal_allocator_client, hal_allocator_server) added in this
commit.

Unfortunately apps, except isolated app, are clients of Allocator HAL
as well. This makes it hard to use the hal_client_domain(...,
hal_allocator) macro because it translates into "typeattribute" which
currently does not support being provided with a set of types, such as
{ appdomain -isolated_app }. As a workaround, hopefully until
typeattribute is improved, this commit expresses the necessary
association operation in CIL. private/technical_debt.cil introduced by
this commit is appended into the platform policy CIL file, thus
ensuring that the hack has effect on the final monolithic policy.

P. S. This change also removes Allocator HAL access from isolated_app.
Isolated app shouldn't have access to this HAL anyway.

Test: Google Play Music plays back radios
Test: Google Camera records video with sound and that video is then
      successfully played back with sound
Test: YouTube app plays back clips with sound
Test: YouTube in Chrome plays back clips with sound
Bug: 34170079
Change-Id: Id00bba6fde83e7cf04fb58bc1c353c2f66333f92

This is a follow-up to f5446eb1 where
I forgot to associate su and perfprofd domains with coredomain.

Test: mmm system/sepolicy
      sepolicy-analyze $OUT/root/sepolicy attribute coredomain
Bug: 35870313
Change-Id: I13f90693843f7c6fe9fea8e5332aa6dd9558478a

This couldn't be done in earlier because this domain does not yet exist
in AOSP master.

Test: mmm system/sepolicy -- no errors
Bug: 35870313
Change-Id: I323e5c22e471cd1900b88d0d1d4edfb5973a33d7

am: 49ce4394

Change-Id: I1b38d903e61188594d0de80be479e7d9e045fb26

am: 2fe065d7

Change-Id: Ieefcec5619fc2b941a675b473661dc561864ffc9

am: f5446eb1

Change-Id: I23d5d274ae05a9b0bdac6872be86c3f56aec734e

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

am: da6c88c9

Change-Id: I9b2c1457c7c8cf3a6c8edde11e4dad8883bbf34c

am: 3d12305d

Change-Id: Id45b1a26067b7525feabb029d5c98270d0c5994b

am: 93f99cb1

Change-Id: I877e23910bc424a2026bab1d9669bc6537ea5c31

am: 165c3701

Change-Id: I76b85c42d2a24810de78e56d6f9624eb8df04c90

am: 1ecff6fa

Change-Id: I9e4aefbdc5ec712164cb2946cda4b51a3967c8c3

am: 45afc7a6

Change-Id: I73d31158b87c68fa5b4ee80e33a397bb1be7c010

Whitelist several hals which can be dumped by bugreports. Don't want to
dump more because of the time it takes and also certain hals have
sensitive data which shouldn't be dumped (i.e. keymaster).

Test: dumps work for given hals
Bug: 36414311
Change-Id: Ic0eddfa95fa33abbc983d3b5161e42c240663f22

am: d7b8338e  -s ours

Change-Id: I66d268eb596277171a88377dad0e613a7497e3f4

am: 392c86e9

Change-Id: Id520704ad8a2be81648c33d2d1ef4a865badacd0

am: 4dd14f69

Change-Id: I60c3e0f1441aa4f548b1875e68f49c2047bf74e4

This fixes the following denial in O:

 update_engine: type=1400 audit(0.0:2100): avc: denied { sigkill } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=0

Bug: 35111618
Test: update_engine_client --cancel during postinstall
Change-Id: I7456a95b5ca6fbdb268a5e16a13e2409758141f5

am: 4c013db7

Change-Id: I77c714f588bdc78020af4e7dbf6a89d9e6792ca6

am: d437f0e0

Change-Id: Ib72b4435a8173a213f1ddb3331afc0bebf991029

am: d3ce5dc3

Change-Id: Ifd66a82a429b18f6e0077b042dccef38ddcd636d

Test: no relevant denials on marlin while booting
Test: no relevant denials on angler while booting
Bug: 36278706
Change-Id: Ieba79e1c8fca4f74c63bc63e6dd0bdcf59204ca2

vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387
Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff

Rules in clients of NFC HAL due to the HAL running (or previously
running) in passthrough mode are now targeting hal_nfc. Domains which
are clients of NFC HAL are associated with hal_nfc only the the HAL
runs in passthrough mode. NFC HAL server domains are always associated
with hal_nfc and thus get these rules unconditionally.

This commit also moves the policy of nfc domain to private. The only
thing remaining in the public policy is the existence of this domain.
This is needed because there are references to this domain in public
and vendor policy.

Test: Open a URL in Chrome, NFC-tap Android to another Android and
      observe that the same URL is opened in a web browser on the
      destination device. Do the same reversing the roles of the two
      Androids.
Test: Install an NFC reader app, tap a passive NFC tag with the
      Android and observe that the app is displaying information about
      the tag.
Test: No SELinux denials to do with NFC before and during and after
      the above tests on sailfish, bullhead, and angler.
Bug: 34170079

Change-Id: I29fe43f63d64b286c28eb19a3a9fe4f630612226

am: 8f0abfec

Change-Id: Id2a898b91932fa74389586bb534cb1dba3bfe26c