* isolated_app is no longer permitted to access /dev/hwbinder -- this
  was granted by mistake.
* There are now neverallows which enforce that isolated_app can't
  access HwBinder and VendorBinder.
* There are now neverallows which enforce that isolated_app can't add
  Binder and VendorBinder services to servicemanager and
  vndservicemanager.

Test: mmm system/sepolicy
Bug: 34454312
Change-Id: I8ba90a0dcb6a9fccd8f50c78cbd2409381376f7a

am: 6357101a

Change-Id: I7562278705ec85f9d9aec351f732405fa6f31781

am: 97903c05

Change-Id: Ida88d74292875a7f218e84d623d17b6e1286278d

Test: mmm system/sepolicy
Change-Id: I5729c636f6d3b361dc902375ee6410cf137fc9ad

am: 4d294e66

Change-Id: I82b442c36398d38101d12784fa64f4fef6eb1349

Currently ro.device_owner and persist.logd.security aren't accessible
without root, so "adb shell getprop" returns empty reply which is
confusing. Also these properties aren't seen from bugreport unless
their change happened recently.

Bug: 37053313
Test: manual, took bugreport and ran getprop after "adb unroot".
Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d

Merge "Only the bluetooth app may run in the bluetooth domain" am: 35fd3212 am: fad50381 am: 20fa3aef
am: a990e5fc

Change-Id: I4fe0c1091b25d7510c2d2788eddde83609f3e1c7

am: 20fa3aef

Change-Id: I3f031cdd2d9f44b1154156383b13e1681aeefc2c

am: fad50381

Change-Id: Id123c5b3b1a4a276137d128c2ab0f6ca693e9867

am: 35fd3212

Change-Id: I2f2fa16dc59bcd3f13ed9525a6f68bc87d26ab3b

This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
Change-Id: Iecf74000e6c68f01299667486f3c767912c076d3

This handles any relabeling of vendor_file to a more specific type in
the case of device bringups or future changes to private/file_context
since ueventd will still need read access to all vendor_file's.

Test: Ueventd has read access to any vendor_file_type
Change-Id: I922af54c76d1ef46ea6536e6dc945b37bcc2126a

am: b92c1659

Change-Id: Ia54fb969971c3b605f114fe76b36efdd084faa70

am: 4e941ebb

Change-Id: I2d35c50e87ccbc86ed203d1018aa4724a458e957

am: 910e60c7

Change-Id: I10b076757792b33b75dc3a818495037c6ada0b49

am: b4f62b04  -s ours

Change-Id: Ia292d94402f2c0e46074aeb119867c6f470fc1ad

Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.

The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.

Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c

am: 14bb96f2

Change-Id: I7c9f2eae1ca88ac7aab960a3d8ddef7dace09c5c

am: 7f0c18b4

Change-Id: Ib764462e117579339bda41a6915b7216ffc0d947

am: d250a336

Change-Id: I81ff1d6a9651daeef66e1ea4e2a3c90bcf3e9bb6

am: 162319d0

Change-Id: Ifc803d7d645be1ec7bd1d34f05e821a522f797e2

am: 072f3865

Change-Id: Id583a952f22f4f70d9d9c27572ce0da692ec2688

am: 5684f61f

Change-Id: Ib0a65258afbe3828cd9d5e9921fc42893c729a5e

Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.

This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.

Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36

This fixes

avc: denied { call } for comm="screencap" scontext=u:r:dumpstate:s0
  tcontext=u:r:hal_graphics_allocator_default:s0 tclass=binder
  permissive=0

Bug: 37360953
Test: adb shell dumpstate -p -o <path>
Change-Id: Ia9387559e3ec1ba51b614bb9d24294fbbbd51b1a

rc-style powerctl has beem removed. Accordingly, asan_extract now
needs access to sys.powerctl directly.

Bug: 36458146
Test: m && m SANITIZE_TARGET=address SANITIZE_TARGET_SYSTEM=true
Change-Id: Ic65a858962b4b3dd613fdbfa09f93d21425bf892

am: f8a18d47

Change-Id: Iba5fd78ab1d578878cde958b489c57959ac6a290

Add asanwrapper support for system server under sanitization.

Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0

am: 4f1763ef

Change-Id: I33c0dcab70613c0f0a669d0443332f204b92d55b