am: ff61a10c

Change-Id: Ie0c415ee9e79628f0048ff30d0daffbd89420f74

am: b5081ea0

Change-Id: I3decd5c29ee797486d563393212cfc09666b77e1

am: 8f288f56

Change-Id: Ic1ff068363790a030eb15776fda5b32704b9a465

am: a21b3b19

Change-Id: I3e0bb56e66f2e4dc2ac04288e96c79070a710490

am: 6f700ae5

Change-Id: I6d58dcfa6037dc916d9ab5b995d2132e559783e1

am: 02d9d21d

Change-Id: I29861f9cc52001f2968c2313f48031dd01afe8c7

am: 52ae8351

Change-Id: I7a84acb504ffb803e3e782d0c5b2d4daf7565e8f

am: ef2057a6

Change-Id: I1c706c034571de2470fdb4458ab7c1ea43e4f52e

This tightens neverallows for looking up Binder servicemanager
services from vendor components. In particular, vendor components,
other than apps, are not permitted to look up any Binder services.
Vendor apps are permitted to look up only stable public API services
which is exactly what non-vendor apps are permitted to use as well.
If we permitted vendor apps to use non-stable/hidden Binder services,
they might break when core components get updated without updating
vendor components.

Test: mmm system/sepolicy
Bug: 35870313

Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f

am: 91204e89

Change-Id: I54869120bda54b1584ff628a94a9aecac409d053

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66
Merged-In: Ib8d610f201a8c35f95b464c24857c6639205bc66

am: 6c4c9bea

Change-Id: Ie6ab78d9c8f93ed00e3ec5923a9946d492199288

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

Devices that store their BT MAC address in /data/misc/bluedroid/ need
to find another place for that file.

Bug: 36602160
Test: Restart Bluetooth, check for selinux denials/files in /data/misc
Change-Id: Ib8d610f201a8c35f95b464c24857c6639205bc66

am: cc5da52f

Change-Id: Ie05d021efd289bf14f86ac070fce74c81ac7bd57

am: 36c8f160

Change-Id: I4c39b013d9d8f296171dde6d0b0b3400074f3825

am: 134c7182

Change-Id: I23e7aa2a87f34a4adc5fd5eac85710db6238d9db

am: d7a2f60d

Change-Id: Ifc66292d55f1daea28069cbf63cd70bf96fee74d

This reverts commit 5c09d123.

Broke the build

Bug: 35870313
Test: source build/envsetup.sh && lunch marlin-userdebug && m -j40
Change-Id: I71c968be6e89462fd286be5663933552d478f8bf

am: 3100873f

Change-Id: Icc445d11ccc9606717d07317446c43a2ef731447

am: c673770a

Change-Id: Icb5276a3b73419b4b0e3a9fea1af157d0e1ef882

Full treble targets cannot have sockets between framework and vendor
processes. In theory, this should not affect aosp_arm64_ab where only
framework binaries are built. However, /system/sepolicy has rild.te
which is now vendor binary and this causes neverallow conflict when
building aosp_arm64_ab.

So, we just temporarily annotate the rild with
socket_between_core_and_vendor_violators so that the neverallow conflict
can be avoided.

Test: choosecombo 1 aosp_arm64_ab userdebug; m -j 80 The build should
not break.

Change-Id: I260757cde96857cc3f539d5f82ca69c50653f8c7

am: 897473dc

Change-Id: Ic481a4198f03ee242d04cfa11d885353b24cde4c

am: a6dc0dc2

Change-Id: I0ac39078f058e970822deda9a3161c05b0dceaeb

am: d80511d3

Change-Id: I329798f6f7885aa68323367a43da6c0a3daa3fb5

am: 3ad5c9e7

Change-Id: I41a829460d932c30e564060fceb9169a7443014f

am: b78fd545

Change-Id: I227c5aee3e635922f39192bc9ce5a1ca5db46451

am: a581c048

Change-Id: Ic71ef550af5cb26ca7d4db01fa78bd6c74b98ca5

am: eaa5e298

Change-Id: I232deac94123b1e07a20789cc247aa95bb9b3327

am: 75760e9d

Change-Id: I02cfb5b418c2edaeaa02831113205e0a73f92342

am: 32815389

Change-Id: Id6cc5e3c1dc6b098f893b566dcbf09fc29973162

am: 7eb3dd3b

Change-Id: Iafaa3fd315533c4cb49847d927d2c7cbae71bb51

* changes:
  Add IpSecService SEPolicy
  Update Common NetD SEPolicy to allow Netlink XFRM