AIUI permissions should be in private unless they need to be public.

Bug: 25861755
Test: Boot device, create and remove a user, observe logs
Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da

First pass at adding vendor_init.te

Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68

Test: boot sailfish with no audit when writing to page-cluster
Change-Id: I2bfebdf9342594d66d95daaec92d71195c93ffc8

10-23 16:40:43.763  7991  7991 I auditd  : type=1400 audit(0.0:79): avc: denied { open } for comm="vold_prepare_su" path="/dev/pts/1" dev="devpts" ino=4 scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Bug: 67901036
Test: Boot device, create user, create files, remove user, observe logs

Change-Id: I8d33dfd2a0b24611773001f20101db40aeb13632

am: 0187b231

Change-Id: Id51afcd1de3c46463120a205624d77c33f636682

New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a

Instead of removing the denial generating code, a dontaudit and a
service label will be provided so that the team working on this new
feature doesn't have to get slowed up with local revision patches.

The dontaudit should be removed upon resolution of the linked bug.

Bug: 67468181
Test: statscompanion denials aren't audited
Change-Id: Ib4554a7b6c714e7409ea504f5d0b82d5e1283cf7

am: 1b223839

Change-Id: I5502508d7548a2772dd56155c9c8e08814fce5ef

am: 1ff4148c

Change-Id: I6dc8530628027cdafd7929cd9ed30bb6c2e5a1bc

am: f040f632

Change-Id: I2f475ad00ca02367c89316f504ece42814538229

The following error is occurring on master:

10-23 16:24:24.785 shell  4884  4884 E SELinux : seapp_context_lookup:  No match for app with uid 2000, seinfo platform, name com.google.android.traceur
10-23 16:24:24.785 shell  4884  4884 E SELinux : selinux_android_setcontext:  Error setting context for app with uid 2000, seinfo platform:targetSdkVersion=23:complete: Success
10-23 16:24:24.785 shell  4884  4884 E Zygote  : selinux_android_setcontext(2000, 0, "platform:targetSdkVersion=23:complete", "com.google.android.traceur") failed
10-23 16:24:24.785 shell  4884  4884 F zygote64: jni_internal.cc:593] JNI FatalError called: frameworks/base/core/jni/com_android_internal_os_Zygote.cpp:648: selinux_android_setcontext failed
10-23 16:24:24.818 shell  4884  4884 F zygote64: runtime.cc:535] Runtime aborting...

Bug: 68126425
Bug: 68032516

This reverts commit 714ee5f2.

Change-Id: I7356c4e4facb1e532bfdeb575acf2d83761a0852

Test: Boot device, observe logs
Bug: 63740245
Change-Id: I1068304b12ea90736b7927b7368ba1a213d2fbae

Addresses this denial during CtsBionicTestCases:
avc: denied { getattr } for path="/proc/version" dev="proc"
ino=4026532359 scontext=u:r:shell:s0 tcontext=u:object_r:proc_version:s0
tclass=file permissive=0

Bug: 68067856
Test: cts-tradefed run commandAndExit cts -m CtsBionicTestCases
--skip-all-system-status-check --primary-abi-only --skip-preconditions
No more denials to /proc/version
Change-Id: I7e927fbaf1a8ce3637e09452cbd50f475176838e

am: 81d8b0ee

Change-Id: I5844b79cb367936ec3c02f343f5b90759c29cbcc

am: 89b41f32

Change-Id: I4544a3f5add13c144b633561624fa1bebfeac29c

Allow vold/system_server to call storaged service

Test: adb shell storaged -u
Bug: 63740245
Change-Id: I88219e32520006db20299468b7a8c7ce0bfa58e0
Merged-In: I88219e32520006db20299468b7a8c7ce0bfa58e0
(cherry picked from commit fa6c3d7c)

This is no longer used and violates Treble data separation.

Bug: 68057930
Test: verify on Sailfish that /data/misc/audiohal doesn't exist
    This dir appears to be Qualcomm specific and should not have
    been defined in core policy.

Change-Id: I55fba7564203a7f8a1d8612abd36ec1f89dc869d

am: d1467ad8

Change-Id: I40639979883bf2e7b1d57d6c23abfa5da704eb6f

am: 917cf072

Change-Id: Ifa8e92e90810eaae408254c949aa86411730e8d2

am: 8dabc2ce

Change-Id: Id5b3e446c5ac050fc73beb5a7473789ab59d2baf

am: 4bd0c6fc

Change-Id: Iacb037f79b4af9c2024fbb54484205b0bc2753c9

Bug: 25861755
Test: Boot device, create user, create files, remove user, observe logs
Change-Id: I195514eb45a99c1093998786ab385338463269c0
Merged-In: I195514eb45a99c1093998786ab385338463269c0
(cherry picked from commit eb7340d9)

Remove netd access to sysfs_type attribute.

These were moved from vendor to fwk policy:
1. sysfs_net type declaration
2. labeling of /sys/devices/virtual/net with sysfs_net
3. netd access to sysfs_net

Bug: 65643247
Test: can browse internet without netd denials
Test: netd_unit_test, netd_integration_test without netd denials
Merged-In: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
Change-Id: Ic1b95a098f438c4c6bc969bee801bf7dd1a13f6e
(cherry picked from commit e62a56b7)

* changes:
  Shell: grant permission to run lsmod
  Dumpstate: cleanup denial logspam

am: 4a14d16e

Change-Id: I29eff41d008886b19218864923a1e48fc2945c26

No sign of these denials getting cleaned up, so supress them in core
policy.

Test: build
Change-Id: I0320425cb72cbd15cef0762090899491338d4f7c

am: 714ee5f2

Change-Id: I3580b3e1ed28e31c41e221bc8697a90bdc70eca8