Prevent files in /proc from incorrectly having sysfs_type attribute.

Rework neverallows so that ueventd has write access to all of
/sys which it needs to handle uevents.

Bug: 63147833
Test: Build. Flash angler, verify files are correctly labeled and no
    new denials are in the logs.

Change-Id: Ib94d44e78cee0e83e2ac924f1c72e611e8e73558

This reverts commit 5bf94caf.

Remove this temporary workaround.

Bug: 63147833
Test: Build policy

am: 2cf0a1b4

Change-Id: I99e6f1f875cd86ba72ff02ea3734fa608c711caa

am: 43881923

Change-Id: Idef73c24efc037903f6c93bf28f560c0960e0d67

am: a987158d

Change-Id: Ibd3d41c2c33c43fe18e89ca91639e8a4227fdc2e

am: 90d2772a

Change-Id: I354fac8e2de0f7c3d09341d291b7989dad1e0726

am: 36bcc901

Change-Id: I0aafa7c4750c96e4dc872602a748b4bf211ee6e1

am: f6be4b66

Change-Id: I75c575577e7a7c99c140b092d3b490bd086de2db

Observed audited access to rootfs moved to individual domains in
commit a12aad45

Bug: 28760354
Test: build
Change-Id: Ie5e991d66668e70df69f21334032be6d574bf5c8

Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." am: c501c345 am: 98229375 am: f1d85fc1
am: 8358215d

Change-Id: I782b305fc548faac35520a0e7413d77115fe8dd3

Merge "Temporarily revert the SELinux policy for persist.netd.stable_secret." am: c501c345 am: 98229375
am: f1d85fc1

Change-Id: I818d200c6e95d7f28fae70ca6dfc3ea994f91239

am: 98229375

Change-Id: I5e41b34370f507214d3dcdcedf16f3c29be77f65

am: c501c345

Change-Id: I1b62a13240b49654fe8667909d23989d4651b37a

* changes:
  Temporarily remove netd_stable_secret_prop from compat infra.
  Temporarily revert the SELinux policy for persist.netd.stable_secret.

Test: I solemnly swear I tested this conflict resolution.
Change-Id: Icf1e8ad95c40f497c731fa03dfd09d8b2c132aca

am: ae342662

Change-Id: I610841f42f3cbb57d2b8d5df5758191a351d10fc

am: 458b4593

Change-Id: Ieb0afbe6fb97da294fe44c075643c62ce24efbdc

am: 6116489c

Change-Id: Ie97e5fba4b46293888ad34c54fa0673909653651

Ueventd needs write access to all files in /sys to generate uevents.

Bug: 63147833
Test: build. Verify no ueventd denials in the logs.
Change-Id: I89d33aab158dd192e761f14eff8afa1c71594bca

am: 53b987aa

Change-Id: I3813dfca0efb4c933881b9f5ddddb5bc033c4cf1

am: 1f284f4b

Change-Id: Ic767b5bc0320faed4733be10ff09103dccf4e929

am: 7297ea2a

Change-Id: I37c6c64905e01ff4bf8d7a72c05fac3912dea793

am: a12aad45

Change-Id: I0cc33674afefeb455bd53702c304d9317ae2e937

This will allow removing the netd_stable_secret_prop from common
policy in master. It will be re-added after the wahoo-specific
sepolicy for netd_stable_secret_prop lands in oc-dr1-dev, is
automerged to master, and then is reverted in master.

This reverts commit ebea2b45.

Bug: 17613910
Bug: 62573845
Test: None, prebuilt change only.
Change-Id: I1234326d2fe6446e7e09ba9e97187518fa9bce33

This change did not make it into core sepolicy in time for O.
The revert allows devices to define these selinux policies in
vendor-specific sepolicy instead of core sepolicy. It is
necessary because:

1. It is too late to change property_contexts in O.
2. Adding the netd_stable_secret prop to vendor sepolicy results
   in a duplicate definition error at compile time.
3. Defining a new vendor-specific context (such as
   net_stable_secret_vendor_prop) and applying it to
   persist.netd.stable_secret results in the device not booting
   due to attempting to apply two different contexts to the same
   property.

Lack of the sepolicy no longer breaks wifi connectivity now that
IpManager no longer considers failure to set the stable secret to
be a fatal error.

Once all interested devices have adopted the vendor sepolicy,
this policy can safely be reinstated by reverting said vendor
sepolicies in internal master.

This reverts commit abb1ba65.

Bug: 17613910
Test: bullhead builds, boots, connects to wifi
Change-Id: Idffcf78491171c54bca9f93cb920eab9b1c47709

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665

Allow lmkd to access /dev/memcg once again.

Test: lmkd can access memcg
bug: 36588803
Change-Id: I1f46b438050d95cebd2fcc495938192305fc9fc9

am: 366be191  -s ours

Change-Id: I1ed0ac5e1836c3f995f13082e5f144e8dc477d03

am: feb28130

Change-Id: I8f436b73a2ce7ffca91c192df35c827447253de3

am: 7f2fb741

Change-Id: I38c91b9f3fc127313918bbd74199013ae7910f2b

Test: build
Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11

am: 0ba84942  -s ours

Change-Id: Ie42095397a6173d0d0ce91c007bfe3298f64bbfe

am: 664743bd

Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb

am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e

am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62