vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.

Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387

am: 46695b73

Change-Id: I2ec74670d8b61cf7fea34d8f6937a477b58ed689

am: 14d792d7

Change-Id: I3ca172822c6db5361637f90b5619afb2a87689e9

am: cc877324

Change-Id: I41b9754e467918d04aa97fe68bf93790062fc66d

Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.

Letting apps have direct access to this HAL is OK because: 

(1) the API of this HAL does not make clients provide any sensitive 
information to the HAL, which makes it impossible for the HAL to 
disclose sensitive information of its clients when the HAL is 
compromised, 

(2) we will require that this HAL is binderized (i.e., does not run 
inside the process of its clients), 

(3) we will require that this HAL runs in a tight seccomp sandbox 
(this HAL doesn't need much access, if at all) and,

(4) we'll restrict the HALs powers via neverallows.

Test: apps can use configstore hal.

Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9

am: a25d9022

Change-Id: Iee58e7c59dd2c0da041aba7083b70a8a9d6de715

am: c4ec1e00

Change-Id: Ia201d24b1edbf5ac2ea4d6e7b24b23b2a9d37f35

am: 10184efa

Change-Id: I57d847a050217c8564d1b9f64e35aab276d27e40

Test: I solemnly swear I tested this conflict resolution.
Change-Id: Id4353e38c8e79037801875280f4ad2ee2160405d

am: 453f6400

Change-Id: I99bb53c1376dca0072609e68d3b9c3bd2fa963f5

am: 08d6f566

Change-Id: Ib9a4687273a0aa6f43fb4c15ce499d5c41db3d4d

am: 7e26fe4a

Change-Id: I72b534b55324ce3dc8df9a46b5c205e4e76f5509

am: 0fd07767

Change-Id: I519288986e98f95591722e7ed1982a0467fc4501

am: 00a03d42

Change-Id: I0d66b07b8fa3f1a992fd2b3a864dafb3c9c7eb0c

This switches Allocator HAL policy to the design which enables us to
identify all SELinux domains which host HALs and all domains which are
clients of HALs.

Allocator HAL is special in the sense that it's assumed to be always
binderized. As a result, rules in Camera HAL target hal_allocator_server
rather than hal_allocator (which would be the server and any client, if
the Allocator HAL runs in passthrough mode).

Test: Device boots up, no new denials
Test: YouTube video plays back
Test: Take photo using Google Camera app, recover a video, record a slow
      motion video
Bug: 34170079
Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936

Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.

Test: Device boots, no denials to do with hal_graphics_allocator
      (also, removing the binder_call(hal_graphics_allocator_client,
      hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079

Change-Id: I5c64d966862a125994dab903c2eda5815e336a94

This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5

am: 4abc2d23

Change-Id: I6602b883078cbf5778f9843d68263633de351dbc

am: 2a887bfb

Change-Id: I4e6cada4fd2cdaae9022fc949dfe84837df24088

am: 51a2238c

Change-Id: I612c84a8e27d6b2db8008fd8f71dc5c5f8c7f6d8

This switches Boot Control HAL policy to the design which enables us
to conditionally remove unnecessary rules from domains which are
clients of Boot Control HAL.

Domains which are clients of Boot Control HAL, such as update_server,
are granted rules targeting hal_bootctl only when the Boot Control HAL
runs in passthrough mode (i.e., inside the client's process). When the
HAL runs in binderized mode (i.e., in another process/domain, with
clients talking to the HAL over HwBinder IPC), rules targeting
hal_bootctl are not granted to client domains.

Domains which offer a binderized implementation of Boot Control HAL,
such as hal_bootctl_default domain, are always granted rules targeting
hal_bootctl.

P. S. This commit removes direct access to Boot Control HAL from
system_server because system_server is not a client of this HAL. This
commit also removes bootctrl_block_device type which is no longer
used. Finally, boot_control_hal attribute is removed because it is now
covered by the hal_bootctl attribute.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079
Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf

am: 294b7d22

Change-Id: I2479a5dad9e714352634c199101f70c253a7b34a

am: e8acb4f6

Change-Id: Iab0ebf0748c4c3dda5a7505050d3f87d5ddf0608

am: 11ce09bc

Change-Id: I8e964a15af674c16e8272fdcf3c617eb5821c64a

The fix for b/35100237 surfaced this error. This SELinux policy
fragment was included only on Marlin, but needs to be included in core
policy.

Bug: 35100237
Test: With https://android-review.googlesource.com/#/c/354292/
Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin.
Test: Connect:
03-17 15:41:22.602  3809  3809 I mtpd    : Starting pppd (pppox = 9)
03-17 15:41:22.628  3811  3811 I pppd    : Using PPPoX (socket = 9)
03-17 15:41:22.637  3811  3811 I pppd    : pppd 2.4.7 started by vpn, uid 1016
03-17 15:41:22.639  3811  3811 I pppd    : Using interface ppp0
03-17 15:41:22.639  3811  3811 I pppd    : Connect: ppp0 <-->
03-17 15:41:22.770  3811  3811 I pppd    : CHAP authentication succeeded
03-17 15:41:22.909  3811  3811 I pppd    : MPPE 128-bit stateless compression enabled
03-17 15:41:23.065  3811  3811 I pppd    : local  IP address 172.16.36.113
03-17 15:41:23.065  3811  3811 I pppd    : remote IP address 172.16.36.1
03-17 15:41:23.065  3811  3811 I pppd    : primary   DNS address 8.8.8.8
03-17 15:41:23.065  3811  3811 I pppd    : secondary DNS address 91.239.100.100

Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927

am: 8ef9a36a

Change-Id: I486d9f7de964f230dbd87b129dedbaf651991655

am: 1e77eac6

Change-Id: Icd6e61eef74a51bdffe58af7effbe441b8df53e6

am: 87ec1d55

Change-Id: I93b7abac24ba6edf158d9caa0d91cb247e6e73f0

am: bcd48241

Change-Id: I5a6b0228e421d197dd9023aec79c07c73be03a35

am: 3cc71b09

Change-Id: I09b098573619738cfaf8da9c84e6321bad72e6fa

am: f7c2613e

Change-Id: I8153d6c7fa3d2aa05851f9d3c7de6011165f1302

Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed

Allow getattr on links for otapreopt_slot. It reads links (to the
boot image oat files) when collecting the size of the artifacts
for logging purposes.

Bug: 30832951
Test: m
Change-Id: If97f7a77fc9bf334a4ce8a613c212ec2cfc4c581

am: 026679e3

Change-Id: Ia8f7ad357ce34068f0c1b4bfe54723e3ae05e2bc

am: c067607b

Change-Id: I5c97dca913c4e7efaa5bf87459e8a60a2f08d622

am: 37f7ffa3

Change-Id: I57b6b54327d79011bf0366f46c77cecb2b8826ac