Change-Id: I01bb0ad7c93e807cd76135bce554abf0908a54ab

am: 4c1bbc30

* commit '4c1bbc30':
  Remove property read access for non-core properties

am: 4cf49a91

* commit '4cf49a91':
  Revert "Migrate to upstream policy version 30"

am: 5a570a4b

* commit '5a570a4b':
  Remove property read access for non-core properties

am: 5ca5696e

* commit '5ca5696e':
  Revert "Migrate to upstream policy version 30"

Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

This reverts commit 2ea23a6e.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

am: ac60c3a4

* commit 'ac60c3a4':
  Allow update_verifier to access bootctrl_block_device.

am: 7a0b8efe

* commit '7a0b8efe':
  Allow update_verifier to access bootctrl_block_device.

am: 85af2526

* commit '85af2526':
  Allow update_verifier to access bootctrl_block_device.

am: e8b176ed

* commit 'e8b176ed':
  Allow update_verifier to access bootctrl_block_device.

am: 14b6f449

* commit '14b6f449':
  Allow update_verifier to access bootctrl_block_device.

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4
(cherry picked from commit 8eaf2585)

am: def6593d

* commit 'def6593d':
  Change /dev/ion from read-only to read-write

am: 637af04e

* commit '637af04e':
  Change /dev/ion from read-only to read-write

am: 71fd337f

* commit '71fd337f':
  Change /dev/ion from read-only to read-write

Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f

Change-Id: I6f07a36af3ff3cf5ba13322e1910b4455d2adbb7

am: af56999e

* commit 'af56999e':
  Migrate to upstream policy version 30

am: 3dd51b99

* commit '3dd51b99':
  shell.te: Restore /proc/net access

am: 862e4ab1

* commit '862e4ab1':
  Migrate to upstream policy version 30

am: ce890bf8

* commit 'ce890bf8':
  shell.te: Restore /proc/net access

am: 9a3d490e

* commit '9a3d490e':
  Migrate to upstream policy version 30

am: 99c78bf2

* commit '99c78bf2':
  shell.te: Restore /proc/net access

Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3

The removal of domain_deprecated from the shell user in
https://android-review.googlesource.com/184260 removed /proc/net access.
Restore it.

Bug: 26075092
Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593

Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4

Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker am: 44826cb5 am: 7fe25900
am: 713ad50b

* commit '713ad50b':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

am: 1d3cebc7

* commit '1d3cebc7':
  adbd: allow ddms screen capture to work again

Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker am: 44826cb5
am: 7fe25900

* commit '7fe25900':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

am: 44826cb5

* commit '44826cb5':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker

Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d

am: 8e543646

* commit '8e543646':
  adbd: allow ddms screen capture to work again

am: 5e8402df

* commit '5e8402df':
  adbd: allow ddms screen capture to work again

am: 80c34f6a

* commit '80c34f6a':
  adbd: allow "adb pull /sdcard/"

The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2