Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f

1. remove some duplicate permissions.
2. Grant permissions to su for dgram sockets in a way that is
   consistent to how we grant permissions to stream_sockets.

Bug: 34980020
Test: build
Change-Id: I50e01d51444a70ead3ef40b52eda8eb29732b46c

/sys/power/state is labled as sysfs_power now. Allow charger to
write to it instead of writing to sysfs.

Test: no denials for charger on this file
Change-Id: Idf8c2656fa1094a69a627c1a705a83893bf3afb3

Test: system server does not crash with this change
Bug: 67415855
Bug: 63920015
Change-Id: I3d0982220743137098dbc683d5c4aded105648c2

Bug: 62378620
Test: Android in Chrome OS can call uevent_kernel_recv() and not fail
      with EIO.
Test: bullhead networking still works

Change-Id: I4dd5d2148ee1704c4fa23d7fd82d1ade19b58cbd

Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
Change-Id: Ic7a212ce226dcfa4b363ed1acd3b2a249cee576b

domain based tmpfs file access has getattr, read and write.

However newer kernels support map. Add this map permission so they
can use mmap based access.

Test: build test.

Change-Id: I2e128967e10a1332b3c1c908550360a52fbceaf8
Signed-off-by: William Roberts <william.c.roberts@intel.com>

These are no longer used.

Test: build aosp_marlin
Bug: 34980020
Change-Id: I04e4aa2322fcdf5945b99967d88287c353b9a6ae

This will be used to enforce data separation between platform and
vendor.

Test: build
Bug: 34980020
Change-Id: Ia312f00068d3982c7aae7e35bd0c96a6eb9ea3be

Bug: 65643247
Test: build aosp_sailfish-userdebug
Test: build walleye-userdebug from internal
This CL does not change runtime behavior.
Change-Id: I82c520579b986ea2a4a6f030ec60d5345c00b54f

Test: manual(installd flow without sepolicy denials)
Bug: 67111829
Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Bug: 68792382
Test: build aosp_sailfish-user
Test: build aosp_sailfish-userdebug
Test: CP to internal and build walleye-user
Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7

This reverts commit 502e43f7.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249

This denial affects marlin as well

Test: The associated denials are properly tagged with this bug
Change-Id: Ie90f1ac8c9a930465d8b806d77c2975c5f046403

Test: code compiles.
Change-Id: I2677ebdaf7ca491c60697da9d3ebf5a5d8cb5036

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

Default health service needs following permissions to work:
- read /sys/class/power_supply
- uevent
- wakelock

Bug: 63702641
Test: no denials for health service

Change-Id: I2f3aed3ef3b5ac024da17d9d5400d9834038df9f

avc: denied { create } for scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0
avc: denied { create } for comm="iotop" scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=netlink_generic_socket permissive=0

Bug: 68040531
Change-Id: I24a8a094d1b5c493cc695e332c927972f99ae49c

The permission was removed in
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/433615/
but is still needed in order to optimize application code.

Denial example:

10-26 16:29:51.234   894  1469 D PackageManager.DexOptimizer: Running
dexopt on: /data/user/0/com.google.android.gms/snet/installed/snet.jar
pkg=com.google.android.gms isa=[arm64]
dexoptFlags=boot_complete,public,secondary,force,storage_ce
target-filter=quicken

10-26 16:29:51.253  2148  2148 W Binder:695_5: type=1400 audit(0.0:39):
avc: denied { read } for name="0" dev="sda35" ino=917506
scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file permissive=0

Test: adb shell cmd package reconcile-secondary-dex-files
com.google.android.googlequicksearchbox
adb shell cmd package compile -m speed --secondary-dex
com.google.android.gms

Change-Id: I694d1a780e58fa953d9ebda807f5f5293dbb0d56

Bug: 65643247
Test: adb sideload an ota package
Test: mount /system
Test: view recovery logs
Test: run graphics test
Test: run locale test
Test: wipe data/factory reset
Test: factory reset from Settings app
Tested on sailfish; no selinux denials to sysfs type are observed.

Change-Id: Ic8487d53d90b7d1d050574e0b084627d1b6abdba

Addresses these denials when wiping data on sailfish:

avc:  denied  { open } for  pid=488 comm="mke2fs_static"
path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0
tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=488 comm="mke2fs_static"
name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=488 comm="mke2fs_static"
name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1

Test: Wipe data/factory reset -> no selinux denials
Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc

AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

10-23 16:40:43.763  7991  7991 I auditd  : type=1400 audit(0.0:79): avc: denied { open } for comm="vold_prepare_su" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 67901036
Test: Boot device, create user, create files, remove user, observe logs

Change-Id: I8d33dfd2a0b24611773001f20101db40aeb13632