Allow mediacodec/mediaextractor to write to system_server pipes during
ANR dumps.

Addresses the following denials:
avc: denied { write } for comm="mediaextractor" path="pipe:[1177610]" dev="pipefs" ino=1177610 scontext=u:r:mediaextractor:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0
avc: denied { write } for comm="omx@1.0-service" path="pipe:[1175808]" dev="pipefs" ino=1175808 scontext=u:r:mediacodec:s0 tcontext=u:r:system_server:s0 tclass=fifo_file permissive=0

Bug: http://b/63801592
Test: treehugger
Change-Id: I944b1fa76c70402607ccd903be17dbddeaa73201
(cherry picked from commit 3c9b9197)

runas: grant access to seapp_contexts files am: dcec3ee9  -s ours am: 0da855ab  -s ours am: 18e75e3a  -s ours
am: faf0504a  -s ours

Change-Id: I8da56e4bda1a86b9631b5936378ad44f4036fec2

am: 18e75e3a  -s ours

Change-Id: I22ef22f0146170e03a02b72f668e62067ad448af

am: 0da855ab  -s ours

Change-Id: Ib03ffbf671ea4e48eb3e1f6fb0045c2bc33570dc

am: dcec3ee9  -s ours

Change-Id: Id04fb68971510d089e4fcd53fa24b77a1e9cd760

To be replaced by commit 1e149967
seapp_context: explicitly label all seapp context files

Test: build policy
Change-Id: I8d30bd1d50b9e4a55f878c25d134907d4458cf59
Merged-In: I0f0e937e56721d458e250d48ce62f80e3694900f

am: 3e6d842d

Change-Id: I42d9ebc6231932c6e5289ad2e9e4301c256f0036

am: 89f215e6

Change-Id: I6126315b398b2f66a5a7d9c98a8d9630c01314a7

Fixes:
neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
Warning!  Type or attribute hal_audio used in neverallow undefined in
policy being checked.

hal_audio_client is not used in neverallows and was mistakenly marked
as expandattribute false instead of hal_audio. Fix this.

Bug: 63809360
Test: build policy
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
    android.cts.security.SELinuxNeverallowRulesTest

    No more:
    Warning!  Type or attribute hal_audio used in neverallow
    undefined in policy being checked.

Change-Id: Iedf1b80f669f95537ed201cbdbb0626e7e32be81

Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 am: 00d28684 am: 8926a408
am: d526583f

Change-Id: Id375d476c919186402451edd32b7c119a41d0e35

Merge "allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns" am: 9f8773b4 am: 00d28684
am: 8926a408

Change-Id: I88b8207da595bbae9d7791fc5b1446528b98f9b1

am: 00d28684

Change-Id: Ifcb82f3ae89e3033b85ca02b2ea9474ba0315569

am: 9f8773b4

Change-Id: I010337f7f5b81f4025a0d57e0e0b4fb8f4a90296

am: 0b2209bf

Change-Id: I2b8009c16046259a494dad10b005e3539fa24a85

am: b197b7c8

Change-Id: I77d33dec14641856fba474c16b7b98815313a049

am: 0bcb2030

Change-Id: I9937141ff425f437d46463bdb944e4524f8d8aa1

am: 8f687053

Change-Id: Ib0ba78601046e6574cbb44752ebc431791a62df6

This is needed for timerslack functionality which should be present in
most kernels going forward

Test: system_server can write to cameraserver files
Change-Id: I85797128b1467d92eb354364de8eb60f8e45c931

This type was removed in commit: 93166cef
and no longer needs to be included in compatibility infrastructure.

Bug: 62573845
Test: None, prebuilt change.
Change-Id: I9dc05512c7fcb3ef4445c4c6b040809a1d595282

Remove restriction to restrict only domains in AOSP to use the
untrusted_app_all attribute

BUG=63167163
Test: Sanity check

Change-Id: I9e1b8605fad108f45f988d8198a9a1cadb8dfa5e

The denial message:
update_engine: type=1400 audit(0.0:15213): avc: denied { getattr } for
path="/postinstall" dev="dm-0" ino=38 scontext=u:r:update_engine:s0
tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

update_engine: type=1400 audit(0.0:15214): avc: denied { sys_rawio } for
capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability permissive=0

auditd  : type=1400 audit(0.0:15213): avc: denied { getattr } for
comm="update_engine" path="/postinstall" dev="dm-0" ino=38
scontext=u:r:update_engine:s0 tcontext=u:object_r:postinstall_mnt_dir:s0
tclass=dir permissive=0

update_engine: [0428/070905:ERROR:utils.cc(716)] Error stat'ing /postinstall: Permission denied

Bug: 37760573
Test: apply an update and UE reads postinstall_mnt_dir without denial.
Change-Id: I55506f5e8544233f60ccf7c1df846c9c93946a25

am: 61b0d710

Change-Id: I3f3ecd781d085fabe9d733f44ae33e4412fc2288

am: a0804de2

Change-Id: I1c39dedf06bf0e791fc885c535c47ab410fa1905

am: f692d2fd

Change-Id: Id32185a33372c762a149bf78f73330588af55685

am: 9273c1bb

Change-Id: Ie4aec7f6b6cfe675bd69df399fa63ef1194b84ac

This was previously relying on domain_deprecated rules deleted in
change I588a1e7ea7ef984907b79a5a391efb2dcd6e6431.

Bug: 28760354
Test: unbreaks networking on AOSP bullhead
Change-Id: I873e1f08f72104dee7509e45b1db0b284ca56085

am: 0f7c9e7f

Change-Id: Iac2c8d05bdb68f76730c118b810b5c4f554b9da4

am: 03f36972

Change-Id: Ib3107f429c17fd4bf487a8a10849bee451d68424

am: 5d54e190  -s ours

Change-Id: Ie1856c442ef307e904037bbfae7dbb546378fb3b

am: 44e9d68b

Change-Id: I268bb425815c3b30e1030ce40907d27ee053ab27

am: 7cd696ee

Change-Id: Iea59a9607e56355372b1b90249853c48f2b63bba

am: b4f88cd6

Change-Id: I81484e7f4b130b0ddfc31ea3404d40a7db7cd94e