Keymaster hal needs to be able to read the vendor SPL for purposes of
rollback protection.

Bug: 76428542
Test: Keymaster can access the hal_keymaster_default property
Change-Id: Ifa53adb23f6ab79346e9dd9616b34d8b24395a0a

This should help fix presubmit tests.

Bug: 78456764
Test: Built policy.
Change-Id: I7ec5afa83417770731d309d5a57b8a94afa24453
(cherry picked from commit 8c0d4609)

This is to fix the CTS failures given by the bugs below where devices
where traced is not enabled by default causes test failures.

(cherry picked from commit 673b4db7)

Bug: 78215159
Bug: 78347829
Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e

The corresponding change in aosp is made at aosp/669146

Violation:
04-23 10:51:03.926  2103  2103 W m.android.phone: type=1400 audit(0.0:8): avc: denied { write } for name="statsdw" dev="tmpfs" ino=22538 scontext=u:r:radio:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0

Bug: 78318738
Test: manual
Change-Id: I8aa70b07281df8a732f2f99d4d323961e425feea

Bug: 63932139
Bug: 76201991
Test: Manual A2DP testing (A2DP offload enabled and disabled)
Change-Id: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a
Merged-In: Icebb4a84cf241b3b6bc52e4826fdedd5a73d796a

Test: manual
Bug: 78318738

Change-Id: Ifa1cbbfdbb5acb713dfeb1d4bf98d1e116e5a89b

avc: denied { getattr } for path="/data" scontext=u:r:vendor_init:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

Bug: 78345561
Test: build/boot device. Denial is gone.
Change-Id: Ie858f1fe65aeb1845b00a5143c345e81aa2ec632

Denial message:
avc: denied { read } for pid=2775 comm="dumpstate" name="update_engine_log"
dev="sda35" ino=3850274 scontext=u:r:dumpstate:s0
tcontext=u:object_r:update_engine_log_data_file:s0 tclass=dir permissive=0

Bug: 78201703
Test: take a bugreport
Change-Id: I2c788c1211812aa0fcf58cee37a6e8f955424849
(cherry picked from commit 7d474279)

And this CL will remove unnecessary vendor-init exceptions for nfc_prop
and radio_prop as well.

Bug: 77633703
Test: succeeded building and tested with Pixels
Change-Id: I468b8fd907c6408f51419cfb58eb2b8da29118ae
Merged-In: I468b8fd907c6408f51419cfb58eb2b8da29118ae
(cherry picked from commit 41e42d63)

FBE needs to access these files to set up or verify encryption for
directories during mkdir.

Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e

Bug: 72841545
Change-Id: I30c1758e631a57f453598e60e6516da1874afcbf

Statsd sepolicy hal_health

Statsd monitors battery capacity, which requires calls to the health
hal.

Fixes: 77923174
Bug: 77916472
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests#testFullBatteryCapacity
Merged-In: I2d6685d4b91d8fbc7422dfdd0b6ed96bbddc0886
Change-Id: I767068c60cff6c1baba615d89186705107531c02

The out-of-tree keychord driver is only intended for use by init.

Test: build
Bug: 64114943
Bug: 78174219
Change-Id: I96a7fbcd9a54a38625063606f5c4ab6d40d701f6

Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Bug: 75322373
Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Merged-In: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 76384b3e)

After adding a new user, deleting it, and rebooting, some of the user's data still remained.  This adds the SELinux permissions necessary to remove all of the data.  It fixes the followign denials:

avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 74866238
Test: Create user, delete user, reboot user, see no denials or
leftover data.

Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
(cherry picked from commit 254a872c)

This adds numerous bug_map entries to try to annotate all denials
we've seen.

Bug: 78117980
Test: Build
Change-Id: I1da0690e0b4b0a44d673a54123a0b49a0d115a49
(cherry picked from commit f55786cf)

dumpstate needs to read all the system properties for debugging.

Bug: 77277669
Test: succeeded building and tested with taimen
Change-Id: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
Merged-In: I3603854b3be67d4fc55d74f7925a21bfa59c81ee
(cherry picked from commit 4de238e9)

We're adding support for OEMs to ship exFAT, which behaves identical
to vfat.  Some rules have been manually enumerating labels related
to these "public" volumes, so unify them all behind "sdcard_type".

Test: atest
Bug: 67822822
Change-Id: I09157fd1fc666ec5d98082c6e2cefce7c8d3ae56

Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27

Tombstoned unlinks "trace_XX" files if there are too many of them.

avc: denied { unlink } for comm="tombstoned" name="trace_12"
scontext=u:r:tombstoned:s0 tcontext=u:object_r:anr_data_file:s0
tclass=file

Bug: 77970585
Test: Build/boot taimen. adb root; sigquit an app.

(cherry picked from commit eb8f938f)

Change-Id: I2f29d12f747d688f8f4e06b48cf72c5109adc2ae