A previous commit (a83e0cc) already labels these with genfs_context,
which has better performance.

Bug: 62413700
Test: Built, flashed, and booted.  Verified that the files have
the correct context.

Change-Id: I464b0df30fabfc5f1c7cd7430e53e8d04bfacb53

am: 47609809

Change-Id: I4a294fc077f665ac3b43f0b7421d7eb30c9a8bb9

am: 96c619c8

Change-Id: Ib2d0ad551b0a8c4e3bf8529dd89fb8f563e5b651

This reverts commit 50889ce0.

Bug: 62427402
Test: Build and boot.
Change-Id: I32eae7997c901981d3228b61f33322a7c2c84301

Revert "SELinux policy for secure persistent netd storage" am: 06486796 am: edcfb2e1 am: 0f52004b
am: 722583fb

Change-Id: I5b13461ca05c04a2082689b7301f3d1b850d0933

am: 0f52004b

Change-Id: I5df1b7411cc87c6b983d80d716d9ec05f1ba9339

am: edcfb2e1

Change-Id: I86565448fa4d5ccd412772825decb5dc62cd6343

am: 06486796

Change-Id: Ia575329a0d4e83ff0d3a70b30ad3ef7e026c42f1

This broke the build on master. See b/17613910#comment17
for details.

This reverts commit ef1fd98b.

Change-Id: I11f7d463061a9b6340c11827135586266e26f016

am: d6da377a

Change-Id: Id608af3667c5ba9e60dd4630f9b718bc84ff96d0

am: 36efd0c4

Change-Id: I31b2eda5c305723b1f35ce2ba284e6593ac891b6

am: 9381cb3d

Change-Id: I3ae9005ee76b51105ec215cefc5a81c25405c482

am: ef1fd98b

Change-Id: I6d5e2f4b43b3b52708190e8111828e54a252d5a7

This is used to persist RFC 7217 stable secrets across device reboots.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I4dad00fb189d697aceaffae49ad63987c7e45054

Test: let fs_mgr format a damaged /data partition
Bug: 35219933
Change-Id: I379567772c73e52f532a24acf640c21f2bab5c5b

This reverts commit c00c07c1.

Change-Id: I0c4f5e8cece9c48672a5210adb7e8427e4fd427a

This should improve performance, as file_contexts is slower than
genfs_contexts.

Bug: 62413700
Test: Built, flashed, and booted Marlin.  Verified that some of the
files have the correct context.
Change-Id: Ia28707ec565a0792bc882fbffe9e8ab9968535f5

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b

Service boottrace runs atrace out of shell context for tracing during
boot. Therefore, we need the same permission set in shell.te to run atrace
in boottrace service.

Bug: 34094010
Test: None
Change-Id: I94b2c3f9a74da377b0467112ebd4e1ee658847a4

Allow run-as to read/write unix_stream_sockets created by adbd. am: 1847a38b am: 23946193 am: 96df849f
am: 690ab198

Change-Id: I7e3c27dad722e2bd208281d74c475a39f91b04dc

am: 96df849f

Change-Id: I631667710b2998361b0e2db3f13f5fb7d2582420

am: 23946193

Change-Id: I0bfb94d859467848ce54e1b7e7581f543331c640

am: 1847a38b

Change-Id: I8c8351da5f2c41a284a6c6aa05e268f209242e00

Copy the final system sepolicy from oc-dev to its prebuilt dir
corresponding to its version (26.0) so that we can uprev policy and
start maintaining compatibility files, as well as use it for CTS
tests targeting future platforms.

Bug: 37896931
Test: none, this just copies the old policy.
Change-Id: Ib069d505e42595c467e5d1164fb16fcb0286ab93

am: c6ba60d8

Change-Id: I1a091cb4715577db620ec5e0b3e3dabfcd15ee6a

am: e546e81b

Change-Id: Iac0bb7ca4994a7921049881f94e767b34851052e

checkseapp does not expect filenames before the appearance of neverallow
rules against which to check.  They had previously been hidden by default
because they were only gathered from one file, but with the addition of
the BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIRS to allow for /system policy
extensions, this may change.

Bug: 36467375
Bug: 62357603
Test: Builds with seapp_contexts extension.
Change-Id: I270bd60ae368aa3c082299d57c4bf12936ac2073

On Marlin ~120 ms of time is spent relabeling /sys/devices/system/cpu
every time we come out of suspend. Moving from file_contexts to
genfs_contexts as the labeling mechanism knocks this down to ~3 ms.

Bug: 32938130
Test: build and boot Marlin. Verify that files in
    /sys/devices/system/cpu have the proper label before and after
    suspend.

Change-Id: Ie71ea7e3dd5df250cabe4ba9600afbf67e69f720

am: e3aad5ed  -s ours

Change-Id: I00c4e09c718b06df5a47b3af7093d0dc01d292b6

am: 715955b7  -s ours

Change-Id: Idaf2e285bc60707aaa1141d9c141146e37c2526f

am: c85b8596  -s ours

Change-Id: I32f3b92444637ac4f62b53bc7b66daa64c6bd7dd