Introduce system_file_type

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

public/attributes

@@ -33,6 +33,10 @@ expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
 expandattribute core_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
 # All types in /vendor
 attribute vendor_file_type;
 

public/bootanim.te

 # bootanimation oneshot service
 type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
+type bootanim_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(bootanim, hal_configstore)
 hal_client_domain(bootanim, hal_graphics_allocator)

public/bootstat.te

 # bootstat command
 type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
+type bootstat_exec, system_file_type, exec_type, file_type;
 
 read_runtime_log_tags(bootstat)
 

public/bufferhubd.te

 # bufferhubd
 type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
+type bufferhubd_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(bufferhubd, hal_graphics_allocator)
 

public/cameraserver.te

 # cameraserver - camera daemon
 type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
+type cameraserver_exec, system_file_type, exec_type, file_type;
 
 binder_use(cameraserver)
 binder_call(cameraserver, binderservicedomain)

public/clatd.te

 # 464xlat daemon
 type clatd, domain;
-type clatd_exec, exec_type, file_type;
+type clatd_exec, system_file_type, exec_type, file_type;
 
 net_domain(clatd)
 

public/cppreopts.te

@@ -5,7 +5,7 @@
 # directories.
 
 type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
+type cppreopts_exec, system_file_type, exec_type, file_type;
 
 # Allow cppreopts copy files into the dalvik-cache
 allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };

public/crash_dump.te

 type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
+type crash_dump_exec, system_file_type, exec_type, file_type;
 
 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.

public/dex2oat.te

 # dex2oat
 type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
+type dex2oat_exec, system_file_type, exec_type, file_type;
 
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app

public/dhcp.te

 type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
+type dhcp_exec, system_file_type, exec_type, file_type;
 
 net_domain(dhcp)
 

public/dnsmasq.te

 # DNS, DHCP services
 type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
+type dnsmasq_exec, system_file_type, exec_type, file_type;
 
 net_domain(dnsmasq)
 allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;

public/domain.te

@@ -454,7 +454,7 @@ neverallow {
     userdebug_or_eng(`-mediaextractor')
 } {
     file_type
-    -system_file
+    -system_file_type
     -system_lib_file
     -system_linker_exec
     -vendor_file_type
@@ -503,16 +503,16 @@ neverallow {
     domain
     with_asan(`-asan_extract')
 } {
-    system_file
+    system_file_type
     vendor_file_type
     exec_type
 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
 
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -1109,7 +1109,7 @@ full_treble_only(`
 #    -appdomain
 #    -coredomain
 #    -vendor_executes_system_violators
-#  } system_file:file *;
+#  } system_file_type:file *;
 #')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache

public/drmserver.te

 # drmserver - DRM service
 type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
+type drmserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute drmserver mlstrustedsubject;
 

public/dumpstate.te

 # dumpstate
 type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
+type dumpstate_exec, system_file_type, exec_type, file_type;
 
 net_domain(dumpstate)
 binder_use(dumpstate)

public/e2fs.te

 type e2fs, domain, coredomain;
-type e2fs_exec, exec_type, file_type;
+type e2fs_exec, system_file_type, exec_type, file_type;
 
 allow e2fs devpts:chr_file { read write getattr ioctl };
 

public/file.te

@@ -131,19 +131,19 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 
 # Default type for anything under /system.
-type system_file, file_type;
+type system_file, system_file_type, file_type;
 # Default type for anything under /system/lib[64].
-type system_lib_file, file_type;
+type system_lib_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, file_type;
+type system_linker_exec, system_file_type, file_type;
 # Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, file_type;
+type system_linker_config_file, system_file_type, file_type;
 # Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, file_type;
+type system_seccomp_policy_file, system_file_type, file_type;
 # Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, file_type;
+type system_security_cacerts_file, system_file_type, file_type;
 # Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, file_type;
+type system_zoneinfo_file, system_file_type, file_type;
 
 # Default type for directories search for
 # HAL implementations
@@ -175,7 +175,7 @@ type vold_metadata_file, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
+type logcat_exec, system_file_type, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Default type for anything under /data.
@@ -385,28 +385,28 @@ pdx_service_socket_types(performance_client, pdx_performance_dir)
 pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
 
 # file_contexts files
-type file_contexts_file, file_type;
+type file_contexts_file, system_file_type, file_type;
 
 # mac_permissions file
-type mac_perms_file, file_type;
+type mac_perms_file, system_file_type, file_type;
 
 # property_contexts file
-type property_contexts_file, file_type;
+type property_contexts_file, system_file_type, file_type;
 
 # seapp_contexts file
-type seapp_contexts_file, file_type;
+type seapp_contexts_file, system_file_type, file_type;
 
 # sepolicy files binary and others
-type sepolicy_file, file_type;
+type sepolicy_file, system_file_type, file_type;
 
 # service_contexts file
-type service_contexts_file, file_type;
+type service_contexts_file, system_file_type, file_type;
 
 # nonplat service_contexts file (only accessible on non full-treble devices)
 type nonplat_service_contexts_file, file_type;
 
 # hwservice_contexts file
-type hwservice_contexts_file, file_type;
+type hwservice_contexts_file, system_file_type, file_type;
 
 # vndservice_contexts file
 type vndservice_contexts_file, file_type;

public/fingerprintd.te

 type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
+type fingerprintd_exec, system_file_type, exec_type, file_type;
 
 binder_use(fingerprintd)
 

public/fsck.te

 # Any fsck program run by init
 type fsck, domain;
-type fsck_exec, exec_type, file_type;
+type fsck_exec, system_file_type, exec_type, file_type;
 
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.

public/gatekeeperd.te

 type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
+type gatekeeperd_exec, system_file_type, exec_type, file_type;
 
 # gatekeeperd
 binder_service(gatekeeperd)

public/healthd.te

 # healthd - battery/charger monitoring service daemon
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
+type healthd_exec, system_file_type, exec_type, file_type;
 
 # Write to /dev/kmsg
 allow healthd kmsg_device:chr_file rw_file_perms;