DO NOT MERGE Move update_engine policy to AOSP.

The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
(cherry picked from commit a10f789d)

device.te

@@ -93,3 +93,6 @@ type swap_block_device, dev_type;
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+type misc_block_device, dev_type;

domain.te

@@ -341,8 +341,8 @@ neverallow { domain -init } default_prop:property_service set;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
 
-# No domain other than recovery can write to system.
-neverallow { domain -recovery } system_block_device:blk_file write;
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
 
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;

file_contexts

@@ -196,6 +196,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/update_engine        u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
@@ -269,6 +270,7 @@
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Fingerprint data

uncrypt.te

@@ -27,6 +27,8 @@ set_prop(uncrypt, powerctl_prop)
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
 allow uncrypt block_device:blk_file w_file_perms;
+auditallow uncrypt block_device:blk_file w_file_perms;
+allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.

update_engine.te

+# Domain for update_engine daemon.
+type update_engine, domain;
+type update_engine_exec, exec_type, file_type;
+type update_engine_data_file, file_type, data_file_type;
+
+init_daemon_domain(update_engine);
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:capability { fowner sys_admin };
+allow update_engine kmsg_device:chr_file w_file_perms;
+wakelock_use(update_engine);
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir { create_dir_perms };
+allow update_engine update_engine_data_file:file { create_file_perms };
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine boot_block_device:blk_file rw_file_perms;
+allow update_engine system_block_device:blk_file rw_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;