am: a0757c4d

* commit 'a0757c4d':
  bootanim: Remove domain_deprecated

Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.

As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c

am: 15a1e0d4

* commit '15a1e0d4':
  Explicitly added permissions that were previously granted through domain_deprecated.

domain_deprecated.

BUG: 25965160
Change-Id: I586d082ef5fe49079cb0c4056f8e7b34fae48c03

am: 4367cf2d

* commit '4367cf2d':
  mdnsd: Remove domain_deprecated

Remove domain_deprecated from mdnsd. This removes some unnecessarily
permissive rules from mdnsd.

As part of this, re-allow /proc/net access, which is removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: Ie1cf27179ac2e9170cf4cd418aea3256b9534603

am: 8ff6a86d

* commit '8ff6a86d':
  Add permissions back to app / shell domains

Allow directory reads to allow tab completion in rootfs to work.

"pm" is crashing due to failure to access /data/dalvik-cache. Add
back in the permissions from domain_deprecated.

Allow /sdcard to work again.

Bug: 25954400
Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73

am: d618eb6f

* commit 'd618eb6f':
  Allow appdomains to write on cgroup so it can start threads.

Addresses the following denial:

  avc: denied { write } for path="/dev/cpuctl/bg_non_interactive/tasks" dev="cgroup" ino=716 scontext=u:r:shell:s0 tcontext=u:object_r:cgroup:s0 tclass=file permissive=0

which started occurring because of https://android-review.googlesource.com/184260

Bug: 25945485
Change-Id: I6dcfb4bcfc473478e01e0e4690abf84c24128045

am: 8ca19368

* commit '8ca19368':
  Remove domain_deprecated from adbd and shell

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

am: 9a3d1c6b

* commit '9a3d1c6b':
  Perms back to domain

allow reading symlinks in /data and getattr in /system

Change-Id: I8cc9ca056725cf10ebfeef474ebf9c80c5300a73

am: 9b2b4472

* commit '9b2b4472':
  Add bspatch to update_engine_exec.

am: cb835a28

* commit 'cb835a28':
  Add auditallow for bluetoothdomain rules

Let's see if it's safe to get rid of them.

Bug: 25768265
Bug: 25767747
Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96

This allow bspatch to have same perssion as update_engine.

Also added a rule to allow update_engine to execute bspatch.

Bug: 24478450
Test: No more permission deny during delta update.

Change-Id: If94bc703b2f3fc32f901f0d7f300934316d4e9a4

am: 4fd21606

* commit '4fd21606':
  system_server: allow restorecon /data/system/users/0/fpdata

Addresses the following denial:

  avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Bug: 25801240
Change-Id: I043f48f410505acaee4bb97446945316f656a210

am: aef68b77

* commit 'aef68b77':
  Move some perms back to domain

libselinux stats selinuxfs, as does every process that links against
libselinux such as toolbox. grant:
   allow domain selinuxfs:filesystem getattr;

domain is already granted:
   allow domain self:dir r_dir_perms;
   allow domain self:lnk_file r_file_perms;
   allow domain self:{ fifo_file file } rw_file_perms;
To make these possible, also grant:
   allow domain proc:dir search;

Change-Id: Ife6cfa2124c9d61bf908ac89a8444676acdb4259

am: 29a1e43e

* commit '29a1e43e':
  grant country_detector_service app_api_service attribute

All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f

am: 85dcd53b

* commit '85dcd53b':
  Move bluetoothdomain rules into their own file.

Don't mix bluetooth rules with bluetoothdomain. The bluetoothdomain
rules are used by several other SELinux domains, not just bluetooth,
and keeping them in the same file is confusing.

Change-Id: I487251ab1c1392467a39c7a87328cdaf802fc1f8

am: bcf31c78

* commit 'bcf31c78':
  grant deviceidle_service app_api_service attribute

avc:  denied  { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager

Bug: 25734577
Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de

am: 2469b32e

* commit '2469b32e':
  Remove handling of dalvik-cache/profiles

Bug: 24698874
Bug: 17173268
Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18

am: 5c57e7c2

* commit '5c57e7c2':
  zygote.te: Remove deprecated rules

f063f461 marked several zygote.te
rules as "deprecated in M". Now that M is out the door, delete
the obsolete rules.

Change-Id: I7ff8abe8659bbcf7aa0b5c612ce3822a238df8ca

am: f255d775

* commit 'f255d775':
  Add SElinux rules for /data/misc/trace

The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).

Bug: 25612377

Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993

am: 7151f754

* commit '7151f754':
  remove overly permissive rules from domain