Add sepolicy for update_verifier

Grant update_verifier the permissions to read /data/ota_package/
and the blocks on system partition.

The denial messages:
update_verifier: type=1400 audit(0.0:29): avc: denied { read } for name="care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1

update_verifier: type=1400 audit(0.0:30): avc: denied { open } for path="/data/ota_package/care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1

update_verifier: type=1400 audit(0.0:31): avc: denied { read } for name="sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1

update_verifier: type=1400 audit(0.0:32): avc: denied { open } for path="/dev/block/sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1

Test: On sailfish, update_verifier reads the blocks successfully during boot time.
Bug: 30020920

Change-Id: I10777c1e6ba649b82c4a73171124742edeb05997

update_verifier.te

@@ -8,4 +8,10 @@ init_daemon_domain(update_verifier)
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
 
-# TODO: Add rules to allow update_verifier to read system_block_device.
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read all blocks in system partition.
+allow update_verifier system_block_device:blk_file r_file_perms;
+