Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

(cherry picked from commit 8cac2586)

More read rights are required now.

Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42

(cherry picked from commit d47c1e93)

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

Grant permissions observed.

Bug: 28760354
Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b

Grant permissions observed.

(cherry picked from commit 9c820a11)

Merged-in: Ifdead51f873eb587556309c48fb84ff1542ae303
Bug: 28760354
Change-Id: Ifdead51f873eb587556309c48fb84ff1542ae303

To include target slot names in the naming of A/B OTA artifacts,
and new path has been implemented. Instead of passing through
the system server and forking off of installd, otapreopt_chroot
is now driven directly from the otapreopt script.

Change the selinux policy accordingly: allow a transition from
postinstall to otapreopt_chroot, and let otapreopt_chroot inherit
the file descriptors that update_engine had opened (it will close
them immediately, do not give rights to the downstream executables
otapreopt and dex2oat).

Bug: 25612095
Bug: 28069686
Change-Id: I6b476183572c85e75eda4d52f60e4eb5d8f48dbb

More read rights are required now.

Bug: 25612095
Change-Id: I766b3b56064ca2f265b9d60e532cd22712f95a42

Give mount & chroot permissions to otapreopt_chroot related to
postinstall.

Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.

Allow postinstall files to call the system server.

Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7