sepolicy: Allow mount cgroupv2 and bpf fs

Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0

private/compat/26.0/26.0.ignore.cil

@@ -6,9 +6,11 @@
   ( adbd_exec
     bootloader_boot_reason_prop
     broadcastradio_service
+    cgroup_bpf
     crossprofileapps_service
     e2fs
     e2fs_exec
+    fs_bpf
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_lowpan_hwservice

private/genfs_contexts

@@ -84,6 +84,7 @@ genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@ genfscon pstore / u:object_r:pstorefs:s0
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0

public/file.te

@@ -60,6 +60,7 @@ type proc_vmallocinfo, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@ type sysfs_switch, fs_type, sysfs_type;
 type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
 type configfs, fs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -364,6 +366,7 @@ type vndservice_contexts_file, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
 allow file_type labeledfs:filesystem associate;

public/init.te

@@ -69,6 +69,10 @@ allow init self:global_capability_class_set sys_admin;
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
 allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;

public/netd.te

@@ -7,6 +7,7 @@ net_domain(netd)
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 
 r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
 allow netd system_server:fd use;
 
 allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@ allow netd sysfs_net:file w_file_perms;
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
+allow netd fs_bpf:dir  create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?