vndservicemanager is a copy of servicemanager, and so has the exact
same properties.  This should be reflected in the sharing of an object
manager in SELinux policy, rather than creating a second one, which is
effectively an attempt at namespacing based on object rather than type
labels.  hwservicemanager, however, provides different and additional
functionality that may be reflected in changed permissions, though they
currently map to the existing servicemanager permissions.  Keep the new
hwservice_manager object manager but remove the vndservice_manager one.

(preemptive cherry-pick of commit: 2f1c7ba7
to avoid merge conflict)

Bug: 34454312
Bug: 36052864
Test: policy builds and device boots.
Change-Id: I9e0c2757be4026101e32ba780f1fa67130cfa14e

am: dc8a278a

Change-Id: Ie2256f76ef644171b7eb67d63a0640aea21db445

am: ec470829

Change-Id: Ic6f08b67da93f015e9561c52311e0b1c3b610446

am: d648b5a7

Change-Id: I9e0ddd8adff4f93399b68f5d29ee0d5fa71627d6

am: 557d1916

Change-Id: I8f5bc75892aca2132d15a3b38d79dcf195119b01

am: c787f547

Change-Id: I785929439d8c81ae7d5bf587077708c23fa50170

am: c45e9b9a

Change-Id: I6af916d823b983581c5f7b33858364af6b2e4456

am: fdb9c018

Change-Id: I97a63c04df7a70822015d99eb619b4ae0147241f

am: 9d46f9b4

Change-Id: Id3bd7d69bd07fafdf76453e52de01b2b5bb67472

These rules allow the additional tracepoints we need for running traceur
in userdebug builds to be writeable.

Bug: 37110010
Test: I'm testing by running atrace -l and confirming that the
tracepoints that I'm attempting to enable are available.

Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd

This commit marks surfaceflinger and app domain (except isolated_app)
as clients of Configstore HAL. This cleans up the policy and will make
it easier to restrict access to HwBinder services later.

Test: Play YouTube clip in YouTube app and YouTube web page in Chrome
Test: Take an HDR+ photo, a normal photo, a video, and slow motion
      video in Google Camera app. Check that photos show up fine and
      that videos play back with sound.
Test: Play movie using Google Play Movies
Test: Google Maps app displays the Android's correct location
Bug: 34454312
Change-Id: I0f468a4289132f4eaacfb1d13ce4e61604c2a371

This could be useful in diffs between policy versions.

Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131

am: fe84716c

Change-Id: Id6058cf5c252930b71ca648cdbf7ada0157204ff

am: 5007c10a

Change-Id: I7a35f4749c90e08632bb0013e99624cd34920d9b

am: 204da471

Change-Id: I266b02ec2b01b3a8717a724b2ca9b6b5dad258d9

Change-Id: Iafa4abcff36fe75e031fc6b6c2108a7617d34b97

am: f5defc90

Change-Id: I8a59ecbf59f8e6618bd5a06e61a46594638d6bcd

am: 9f152d98

Change-Id: I1c319ac3558e5ff96072638dc4be97502da61056

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.

Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases

Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9

This commit marks system_server and app domains (except isolated_app)
as clients of Graphics Allocator HAL. This makes the policy cleaner
and prepares ground for restricting access to HwBinder services.

Test: Play video in YouTube app and in Google Chrome YouTube web page
Test: Using Google Camera app, take an HDR+ photo, a conventional
      photo, record a video with sound and a slow motion video with
      sound, then check that photos look good and videos play back
      fine, including sound.
Bug: 34454312
Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a

am: 94eaf989

Change-Id: Idb0275994d21bda3b79f83588adf67004486c410

am: 0d1b2ce1

Change-Id: I2f2bb8fb9974dca42398f7c7cc5e7ace76824d47

am: 2f92a742

Change-Id: I9d1d538260e224c1c159e3f12585397a4bc9833c

am: 04a9c429

Change-Id: I9c44efe98a994ac302436325809657762ca6d26a

Bug: 36604251
Test: Netflix protected content, Play movies
Change-Id: I5c2c542007abddbe56b933ff44d65bd376b6691e

am: b76c352e

Change-Id: Ifc70c644ac582f2b3fb65a8f44a893e6626ee01f

am: 7eac10c7

Change-Id: Idfebcf45797a9feed9fb529a104d0b7e40e5ec28

am: f69d535c

Change-Id: I19a518a9f84d17fdd7d3f7b8613d85785948187f

am: 80cab7de

Change-Id: Iba1cf44b3e7c965b8ea7033b80a25393730512e9

The new binder_call() lines had to be added
because this change removes mediacodec from
binderservicedomain (on full-treble), hence
domains that could previously reach mediacodec
with binder_call(domain, binderservicedomain)
now need explicit calls instead.

Test: Youtube, Netflix, Maps, Chrome, Music
Change-Id: I3325ce20d9304bc07659fd435554cbcbacbc9829

Bug: 36463595
Test: make -j48 sepolicy
Change-Id: Id8e66e3e08ceb1301c36824af93410aa84def8d3
Signed-off-by: Sandeep Patil <sspatil@google.com>