This switches Dumpstate HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Dumpstate HAL.

Domains which are clients of Dumpstate HAL, such as dumpstate domain,
are granted rules targeting hal_dumpstate only when the Dumpstate HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_dumpstate are not granted to client domains.

Domains which offer a binderized implementation of Dumpstate HAL, such
as hal_dumpstate_default domain, are always granted rules targeting
hal_dumpstate.

Test: adb bugreport
Test: Take bugreport through system UI
Bug: 34170079

(cherry picked from commit 47174e3b)

Change-Id: I3e827534af03cdfa876921c5fa4af3a53025ba27

am: d7cb7ff4

Change-Id: Iaa0c92775ab446010409cf784790763542cd4d48

am: 351ba2c8

Change-Id: I961d7edd3d14c0f87f54ecfe6b0947ed454d1f66

am: d68aae65

Change-Id: Ib57282ba98e07b330df27ae203f51ce17568088b

am: 58cc4a50

Change-Id: I6b0739595152d4716a246bf032e1e926e8e9ba87

am: bb252e98

Change-Id: Ic428c4301b2b6f8de5ba24b152e10d900c0f5aac

am: 313dfe7d

Change-Id: Id3134f3157f29b3e878cde82ed33cac35f162c87

In the master external/ipsec-tools/{main.c, racoon.rc},
racoon doesn't call setuid, and doesn't have the setuid capability.

Bug: 35642293
Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>

am: 9abc397b

Change-Id: I90dcdc32cbb48cc9dd9a583c1b13c3435cac2d72

am: a5c6cd06

Change-Id: I0100cedf44cf395891271228aa4ce0ef4bda86a0

am: 1c4014ab

Change-Id: I2a36fd9265032e343e92adf022705121bba287f4

am: d2dda9d9  -s ours

Change-Id: I09e43acbfd3d7e08fec3e274f81814fc51a482f5

am: ef27bb8a

Change-Id: I3b65acb16cb57db7964967529c01acef838f757e

am: 429e71a6

Change-Id: Id9a9c60ac55405ab02cede5690431c3ceacd1dba

Bug: http://b/32123312
Test: mm && boot
Change-Id: I6550fbe2bd5f9f5a474419b483b0f786d4025e88

am: e7bb0c80

Change-Id: Ie2b4ae4d1dba1241f03f7a299a7468cb84308ac5

am: eaf5525c

Change-Id: I7e58af319179acde4306c639e0408d5c364c277a

am: 0b1e965f

Change-Id: I666c3e5d216d9b3b1110d72467ed855fd78b2afb

This switches Fingerprint HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Bluetooth HAL.

Domains which are clients of Fingerprint HAL, such as system_server
domain, are granted rules targeting hal_fingerprint only when the
Fingerprint HAL runs in passthrough mode (i.e., inside the client's
process). When the HAL runs in binderized mode (i.e., in another
process/domain, with clients talking to the HAL over HwBinder IPC),
rules targeting hal_fingerprint are not granted to client domains.

Domains which offer a binderized implementation of Fingerprint HAL,
such as hal_fingerprint_default domain, are always granted rules
targeting hal_fingerprint.

NOTE: This commit also removes unnecessary allow rules from
Fingerprint HAL, such access to servicemanager (not hwservicemanager)
and access to keystore daemon over Binder IPC. Fingerprint HAL does
not use this functionality anyway and shouldn't use it either.

Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks
      with fingerprint or PIN
Test: Disable PIN (and thus fingerprint) secure lock screen
Test: make FingerprintDialog, install, make a fake purchase
Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device,
      adb shell stop,
      adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass
Bug: 34170079

Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1

The preview surface will run in app process and hal_camera will
need to wait on FD generated by preview surface.

Test: the denial is gone, able to take photo in
      messenger/hangout/drive application.
Bug: 35589980
Bug: 35485227
Change-Id: I1977174369b104617156065ff25203a17265b707

am: 23336671

Change-Id: Iab1f760ea7abeffebb8675d981e74faf465e439f

am: 0ccb8836

Change-Id: I416995e57663912c8383206416184bccdd0f8a20

am: 205ec044

Change-Id: Ia8ffaa7a7d2f92cdd9d298de92154660462e5dcf

untrusted_v2_app is basically a refinement of untrusted_app with legacy
capabilities removed and potentially backwards incompatible changes.

This is not currently hooked up to anything.

Bug: 33350220
Test: builds
Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2

This removes the compile-time deprecation warning about
hal_impl_domain macro. The warning was introduced in
86e87806f5777a7fc09ea962e694442297e4f8d6. We don't want to spam all
Android platform developers about something internal to the ongoing
SELinux policy restructuring.

Test: Policy compiles without any warnings
Test: Google Play Movies plays back movies (i.e., DRM HAL works)
Bug: 34170079
Change-Id: Icbd4d1283196f7ccc84c2a041c5601113d3c9f21

am: 2e30dec2

Change-Id: I893d885465d2e8df85ce74049a1f496495a58b95

am: 8cdc9632

Change-Id: Iaa036444a7467f6d323c09e651899a8b06e78b69

am: 3879c107

Change-Id: I8af408636378267bad6b9d4974f365489ad87e4c

am: 2a70c173

Change-Id: I81689fdf9a332a0d0ed645f207b1ac73731e77b3

am: 6b28742a

Change-Id: I87902101dac4b3468b929c6020f318afe21702d5

am: c1f8e9a0

Change-Id: I8b763f78a29561bddf6d80e3a59e39943a6340d3

am: 86bb63d1

Change-Id: I9d864cdf67c478b2f88800aea551bee070e9753a

am: 68a62bab

Change-Id: Id6cf0a234a40113b5c746c0b49b251c259e59322

am: db955a15

Change-Id: Ia1fd83b46f937daf00437bf2c9e35d46a95ecef4