SELinux label is created for contexthub_service system service.

ContextHub service manages all available context hubs and serves fulfil communication between apps
and underlying context hub hardware.

Change-Id: I8470fedd9c79a00012e1cdb9b548a1b632ba7de6

Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries.  Mark it as an app_api_service so
that all applications may use this API.  Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties.  As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.

(cherry-picked from commit: 9ed71eff)

Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9

Bug: 27531271
Change-Id: I3c5eee86d09696373ab155f93ba6c85da224cb51

Bug 27325877

Change-Id: Idf2f9ae816e1f3d822a6286a4cf738c14e29a45e

NetworkTimeUpdateService has been registered as a system service, so that
its dump state can be included into bugreports.

Bug: 23983739
Change-Id: I0d364009ba4630dcfd1d22c647195e33eedaa4e0

Bug: 26804329
Change-Id: I7b789c6fe8411e3a4a718da86d442a0f48c5c310

RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).

The matching CL in frameworks/base is in:
  Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.

Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e
(cherry picked from commit 65b5fde9)

This will allow us to provide a better interface between Java
services (e.g., ConnectivityService) and netd than the current
FrameworkListener / NativeDaemonConnector interface which uses
text strings over a Unix socket.

Bug: 27239233
Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af

Bug: 26945055
Change-Id: I5745d02be9889f6a0e02de12bd8d8f2808de9ce0

Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2

Address the following denial from 3rd party voice interaction test:
SELinux : avc:  denied  { find } for service=voiceinteraction pid=30281 uid=10139 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=0

Bug: 27105570
Change-Id: Ib87d364673cbc883df017bcda7fe1e854a76654f

Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b

Add permissions to dex2oat, introduce otapreopt binary and otadexopt
service.

Bug: 25612095
Change-Id: I80fcba2785e80b2931d7d82bb07474f6cd0099f7

This reverts commit 2afb217b.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed

Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb

The services under this label are not meant to be exposed to all apps.
Currently only priv_app needs access.

Bug: 26799206
Change-Id: I07c60752d6ba78f27f90bf5075bcab47eba90b55

Register service with servicemanager and name the context.

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44

audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d

All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f

All apps should have access to the country_detector service.

avc:  denied  { find } for service=country_detector pid=1802 uid=1010002 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:country_detector_service:s0 tclass=service_manager

Bug: 25766732
Change-Id: Ie3f1a801114030dada7ad70c715a62907a2d264f

avc:  denied  { find } for service=deviceidle pid=26116 uid=10007 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:deviceidle_service:s0 tclass=service_manager

Bug: 25734577
Change-Id: I3c955e6df2186ad7adb6b599c5b6b802b8ecd8de

Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd

This reverts commit cda36e31.
This will be moved to a device specific file.

BUG: 24555181

Change-Id: I0eb543211245c37da77bbf42449f70ff3fdf79ec

Verifier needs access to apk files.
avc: denied { search } for pid=11905 comm="ackageinstaller" name="vmdl2040420713.tmp" dev="dm-2" ino=13647 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=dir permissive=0

Give bluetooth_manager_service and trust_service the app_api_service
attribute.
avc:  denied  { find } for service=bluetooth_manager pid=7916 uid=10058 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:bluetooth_manager_service:s0 tclass=service_manager permissive=0
avc:  denied  { find } for service=trust pid=25664 uid=10069 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=0

Bug: 25066911
Change-Id: I6be695546f8a951e3329c1ec412936b8637e5835

avc:  denied  { find } for service=network_management pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager
avc:  denied  { find } for service=netstats pid=4503 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=0

Bug: 25022496
Change-Id: Ib6eac76b680fed3eca7e4942c6b0e375f12b6496

avc:  denied  { find } for service=webviewupdate pid=11399 uid=10070 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:webviewupdate_service:s0 tclass=service_manager permissive=0

Bug: 25018574
Change-Id: I26a7846d1c80c1ab3842813f4148528030b1106a

Bug: 21445745
Change-Id: I59fd20f61a5e669e000f696f3738cc11071920aa

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef

- Update selinux policy for CameraServiceProxy.

Bug: 21267484
Change-Id: Ib821582794ddd1e3574b5dc6c79f7cb197b57f10

deviceidle service should be accessible to all non third-party apps.

Cherry-pick of commit: 7c1dced7

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa

deviceidle service should be accessible to all non third-party apps.

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa

This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

(cherry picked from commit effcac7d)

Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13

This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747

Settings needs to be able to access it when opening developer options.

Address the following denial:
avc:  denied  { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager

Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b

Backup service needs to be accessible to all apps to notify the system when
something changes which is being backed-up.

Bug: 18106000
Change-Id: I8f34cca64299960fa45afc8d09110123eb79338b

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095