An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1

The deprecated/deleted usbfs kernel driver gets really unhappy when
SELinux denies it access to directories. On flo (3.4.0 kernel), this
comes across as an SELinux denial followed by a kernel panic.

Steps to reproduce:

  1. plug in a USB device.
  2. notice nothing happens.
  3. unplug the USB device
  4. plug it in again, watch for restart.

Expected:
  USB device works

Actual:
  [329180.030242] Host mode: Set DC level as 0x68 for flo.
  [329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller
  [329180.030639] Unable to create devices usbfs file
  [329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir
  [329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1
  [329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000
  [deleted]
  [329180.120178] hub 1-0:1.0: USB hub found
  [329180.120452] hub 1-0:1.0: 1 port detected
  [329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070
  [329180.123443] pgd = c0004000
  [329180.123809] [00000070] *pgd=00000000
  [329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
  [329180.124481] CPU: 0    Tainted: G        W     (3.4.0-g2e8a935 #1)
  [329180.124908] PC is at mutex_lock+0xc/0x48
  [329180.125122] LR is at fs_create_file+0x4c/0x128
  [329180.125518] pc : [<c0916708>]    lr : [<c0440ec4>]    psr: a0000013
  [deleted]
  [329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128)
  [329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8)
  [329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68)
  [329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58)
  [329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18)
  [329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84)
  [329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68)
  [329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360)
  [329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84)
  [329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0)
  [329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98)
  [329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4)
  [329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4)
  [329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c)
  [329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774)
  [329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488)
  [329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4)
  [329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90)
  [329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8)

Allow the usbfs operation.

Bug: 19568950
Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e

Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209

Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df

Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.

Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.

Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.

SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.

Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.

Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0

Address the following denial encountered when installing a forward-locked apk.

 W loop0   : type=1400 audit(0.0:36): avc: denied { read } for path="/data/app-asec/smdl1061145377.tmp.asec" dev="mmcblk0p28" ino=180226 scontext=u:r:kernel:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file

Bug: 19936901
Change-Id: I829858564a8f89677b2bb4cbd4c8fe4250ae51de

Add a compile time assertion that capabilities other than setuid
and setgid are never granted to run-as.

This is a compile time assertion only. No new capabilities are granted
or removed.

Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220

This service will be implemented in packages/services/Telephony.

Bug: 19483786
Change-Id: Ia9a90bc859108d8657cae551d657e2fcdc261f88

Add a compile time assertion that gpsd never has capabilities other
than block_suspend.

Bug: 19908228
Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d

Android has long enforced that code can't compile with text
relocations present. Add a compile time assertion to prevent
regressions.

Change-Id: Iab35267ce640c1fad9dc82b90d22e70e861321b7

Make sure we're not running fsck on block devices where it
doesn't make any sense. In particular, we should not be running
fsck on /system since it's mounted read-only, and any modification
to that block device will screw up verified boot.

Change-Id: Ic8dd4b0519b423bb5ceb814daeebef06a8f065b4

/odm has the same permissions as /system/... for devices with a
separate odm partition

Bug: 19609718
Change-Id: I6dd83d43c5fd8682248e79d11b0ca676030eadf0

Commit a1913988 added a new
SELinux label to /system/xbin/procrank, which had the effect of
preventing dumpstate from executing procrank. Allow dumpstate
to execute procrank.

Bug: 18342188
Change-Id: If5b781db0d3af34912f3c803b7fa73d53120f3ba

Change-Id: I283663caea0ee1597645856fb31f13b26e902315

/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.

Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7

Bug: 15435041
Change-Id: I26209bf8e0b896eac016b5dd1faf6b6e97d72aff
Signed-off-by: Daniel Micay <danielmicay@gmail.com>

This is causing more harm than good. We'll just make these all link
libc++ again and work out the CTS issues if they still exist.

Bug: 19778891

This reverts commit 3812cf58.

Change-Id: Iaea8f6acb147da4275633a760ccb32951db7f8b6

This is causing more harm than good. We'll just make these all link
libc++ again (another revert) and work out the CTS issues if they still
exist.

Bug: 19778891

This reverts commit a5113a15.

Change-Id: I35a4c93dae4abb66e3525451d5ce01e33a540895

Address sanitizer requires using libc++ (apparently). We removed
libc++ from these projects since they were C and the SDK/CTS was not
able to find libc++.

If we're interested in continuing to use ASAN on these tools
(probably), we should turn libc++ back on once we're sure CTS won't
die.

Bug: 19778891
Change-Id: I3c1913171a15396ead73277ec1186fead730f66d

Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory

Also indicate that none of the sepolicy tools need c++ std lib.

Bug: 19617220

Change-Id: I713b3cbd1220655413d399c7cd2b0b50459a5485

Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it
from appdomain.

Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This was rendered obsolete when SELinuxDomainTest was ported
to SELinuxHostTest and only makes sense if allowing search
to domain:dir and { open read } to domain:file in order to
open the /proc/pid/attr/current files in the first place.
SELinux applies a further :process getattr check when
reading any of the /proc/pid/attr/* files for any process
other than self, which is no longer needed by app domains to
pass CTS.

Change-Id: Iff1e601e1268d4d77f64788d733789a2d2cd18cc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Executing /system/xbin/su is only supported on userdebug builds
for a limited number of domains. On user builds, it should never
occur.

Add a compile time assertion (neverallow rule) that this is
always true.

Bug: 19647373
Change-Id: I231a438948ea2d47c1951207e117e0fb2728c532

Require equivalence for all write operations.  We were already
doing this for app_data_file as a result of restricting open
rather than read/write, so this makes the model consistent across
all objects and operations.  It also addresses the scenario where
we have mixed usage of levelFrom=all and levelFrom=user for
different apps on the same device where the dominated-by (domby)
relation may not be sufficiently restrictive.

Drop the System V IPC constraints since System V IPC is never allowed
by TE and thus these constraints are dead policy.

Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Assigning mlstrustedsubject to untrusted_app would undermine
the per-user isolation model being enforced via levelFrom=user
in seapp_contexts and the mls constraints.  There is no direct
way to specify a neverallow on attribute assignment, but this
makes use of a particular property of the fork permission to
prevent ever adding mlstrustedsubject to untrusted_app.

A similar restriction for app_data_file and mlstrustedobject
is also important for the same reason, but cannot be expressed
as a neverallow.

Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Add an attribute command to sepolicy-analyze for displaying the list
of types associated with an attribute in a policy.  This is for use
by CTS to check what domains and types are associated with certain
attributes such as mlstrustedsubject and mlstrustedobject.

Change-Id: Ie19361c02feb1ad14ce36862c6aace9e66c422bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

With changes I431c1ab22fc53749f623937154b9ec43469d9645 and
Ia54aa263f2245c7090f4b9d9703130c19f11bd28, it is no longer
legitimate to use BOARD_SEPOLICY_IGNORE or REPLACE with
any of the *_contexts files since the CTS requires the AOSP
entries to be present in the device files.

Further, these changes render BOARD_SEPOLICY_IGNORE unusable for
most policy files since all domains and types referenced within any
of the AOSP *_contexts entries must be defined in the kernel policy, so
you cannot use BOARD_SEPOLICY_IGNORE to exclude any .te file
that defines a type referenced in any of those *_contexts files.
There does not seem to be a significant need for such a facility,
as AOSP policy is small and only domains and types used by most
devices should be defined in external/sepolicy.

BOARD_SEPOLICY_REPLACE is commonly misused to eliminate neverallow rules
from AOSP policy, which will only lead to CTS failures, especially
since change Iefe508df265f62efa92f8eb74fc65542d39e3e74 introduced neverallow
checking on the entire policy via sepolicy-analyze.  The only remaining
legitimate function of BOARD_SEPOLICY_REPLACE is to support overriding
AOSP .te files with more restrictive rule sets.  However, the need for this
facility has been significantly reduced by the fact that AOSP policy
is now fully confined + enforcing for all domains, and further restrictions
beyond AOSP carry a compatibility risk.

Builders of custom policies and custom ROMs still have the freedom to
apply patches on top of external/sepolicy to tighten rule sets (which are
likely more maintainable than maintaining a completely separate copy of
the file via BOARD_SEPOLICY_REPLACE) and/or of using their own separate
policy build system as exemplified by
https://bitbucket.org/quarksecurity/build-policies



Change-Id: I2611e983f7cbfa15f9d45ec3ea301e94132b06fa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Failed to include base_rules.mk, so this target was not being built.

Change-Id: I2414fa6c3e3e37c74f63c205e3694d1a811c956e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Generate general forms of the remaining *_contexts files with only the
device-independent entries for use in CTS testing.

Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Periodically, SELinux denials of the form:

  type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

are being generated. These denials come from system_server and other
processes. There's no reason why system_server should be calling
sched_setscheduler() on a kernel thread.

Current belief is that these SELinux denials are a bug in the kernel,
and are being inappropriately triggered.

Revert 2d1650f4. The original reason
for accepting this change was to see if it would fix bug 18085992.
Unfortunately, even after the commit, the bug was still present.
The change had no impact on the bug.

Don't inappropriately grant system_server the ability to minipulate
the scheduling priority of kernel threads.

This reverts commit 2d1650f4.

Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8