The new A/B OTA artifact naming scheme includes the target slot so
that the system is robust with respect to unexpected reboots. This
complicates the renaming code after reboot, so it is moved from the
zygote into a simple script (otapreopt_slot) that is hooked into
the startup sequence in init.

Give the script the subset of the rights that the zygote had so that
it can move the artifacts from /data/ota into /data/dalvik-cache.
Relabeling will be done in the init rc component, so relabeling
rights can be completely removed.

Bug: 25612095
Bug: 28069686
Change-Id: Iad56dc3d78ac759f4f2cce65633cdaf1cab7631b

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

bug 24503801

Change-Id: I6cf1afb3982c4da4f5e57188d3e24ac01c4bd416

Required for using native audio in BootAnimation

Bug: 29055299
Change-Id: Ie75d35219be95a8dc697cc3c0384a4de90ea3478

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30

Remove exemption for init.

Bug: 29761117
Change-Id: I754ca647e3834010702c7dcd7fd10c1f6c61c594

Change-Id: I35c70e171e0bfbb28992845a4927b9a29b28f110

Previously appdomains allowed to execute off of /data
where whitelisted. This had the unfortunate side effect of
disallowing the creation of device specific app domains
with fewer permissions than untrusted_app. Instead grant
all apps a neverallow exemption and blacklist specific app
domains that should still abide by the restriction.

This allows devices to add new app domains that need
/data execute permission without conflicting with this rule.

Bug: 26906711
Change-Id: Ia876cc1dfd5b12908c59bd9e8620a6b890729c28

am: d0feed89

Change-Id: Iff29cfb3468182acbc683d4766f813f59e01ff58

avc: denied { search } for pid=394 comm="lmkd" name="lowmemorykiller" dev="sysfs" ino=7541 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=dir permissive=0

(Cherry picked from commit 30a3ee4c)

Bug: 29558514
Change-Id: Iaae907a92976af2a9dcb58be5643b8614dcde174

update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.

avc: denied { search } for name="block" dev="tmpfs" ino=15510 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" ino=15510 scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0

Bug: 29569601
Test: Marlin boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f

am: 42aaf5a0

Change-Id: I225056d3febfa71be4c425bf4283cc0d7f356c7d

update_engine launches the postinstall process and can suspend and
resume it by sending SIGSTOP and SIGCONT. This fixes the following
denials:

update_engine: type=1400 audit(0.0:88): avc: denied { sigstop } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1
update_engine: type=1400 audit(0.0:89): avc: denied { signal } for scontext=u:r:update_engine:s0 tcontext=u:r:postinstall:s0 tclass=process permissive=1

Bug: 28959137
TEST=`update_engine_client --suspend ; update_engine_client --resume` while the device is running postinstall.

(cherry picked from commit 108b74a1)

Change-Id: Iec8e10fe0cfda5c0764d2e5ad90ea1c6dd13dab2

Cherrypicked from AOSP
(commit 51fdddaf).

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb

This is needed in order to include profile files in bugreports.

Bug: 28610953
Change-Id: I025189a4ac66b936711fdb4e20b10c2b0a7427d1

am: 5143b6a2

Change-Id: Ifa04829e7c60adcae31795475d3f19bc519f2f82

Addresses:
avc:  denied  { find } for service=nfc pid=3355 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

BUG=29339762
Change-Id: I87479ef4607bd3e18a2fecb53909c4878e227e2b

am: b71cf12f

Change-Id: I90e1d56ce61c3093333c6c2e570527f94e743b72

Merge \"Revert \"dumpstate: Change SELinux policy to allow reading /data/misc/profiles\"\" into nyc-dev
am: d261aa96

Change-Id: I94314c8e3277719295dd85c0a672dc1ab2a6b820

This reverts commit 70a31245.

Bug: 28610953
Bug: 29395357
Change-Id: I8b531f488444457d329e43e0c298f2ed231378bf

am: a4e2aa13

Change-Id: I0af984f16893a9367769549967aea8cb5f30285f

Grant installd the policies to recursively delete
the foreign-dex folder when removing a user. Otherwise
the user cleanup will partially fail and cause a boot loop
when the userId is reused as some later point.

Bug: 29285673
Change-Id: I023f150cffbeb10b6014f48bca9eb0922c2d630a

Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849

am: 92e79e22

Change-Id: I120a8a0a73ec37adee5771f7ffcc7be695b4c141

Per "man socket":

  SIOCGSTAMP
  Return a struct timeval with the receive timestamp of the last packet
  passed to the user. This is useful for accurate round trip time
  measurements. See setitimer(2) for a description of struct timeval.
  This ioctl should only be used if the socket option SO_TIMESTAMP is
  not set on the socket. Otherwise, it returns the timestamp of the last
  packet that was received while SO_TIMESTAMP was not set, or it fails
  if no such packet has been received, (i.e., ioctl(2) returns -1 with
  errno set to ENOENT).

Addresses the following denial:

avc: denied { ioctl } for comm=6E6574776F726B5F74687265616420
path="socket:[42934]" dev="sockfs" ino=42934 ioctlcmd=8906
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=0

Bug: 29333189
Change-Id: I916a695fa362cf1cf6759629c7f6101e9f657e7d

am: 43151dd4

Change-Id: I9116f2820891a266ddf163ac28b6f45721d044ad

am: f8f4d3e1

Change-Id: If2975c226b86c11595f5c41a964783f7e9caa171

It no longer needs access to audio and camera

Bug: 22775369
Change-Id: I1de1f0e3504b214d6943733bf60eb83654b71048

Some legitimate functionality currently requires direct sysfs access
that is not otherwise possible via the android APIs.  Specifically,
isochronous USB transfers require this direct access, without which USB
audio applications would noticibly suffer.

Grant read access to the usb files under /sys/devices to prevent this
regression.

Bug: 28417852
Change-Id: I3424bf3498ffa0eb647a54cc962ab8c54f291728

am: c878a025

Change-Id: I386059682c8fbbfec7ad9ad009a296bc4454869c

Addresses:
avc: denied  { find } for service=media.camera pid=1589 uid=1001 scontext=u:r:radio:s0 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0

Bug: 29190415
Change-Id: I77c0337500b8ab2f5d7d3d5982c7416fc39b1522

update_engine can trigger a factory-reset when the update to an older
version or an incompatible version requires it.

Bug: 28700985
TEST=Updated a device with a factory-reset required and the BCB was
written.

(cherry picked from commit 15105ce7)

Change-Id: I7d2efc0e7f164d618cbb3fe190882e4fa8a89bac