Introduce system_file_type

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

public/hwservicemanager.te

 # hwservicemanager - the Binder context manager for HAL services
 type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
 
 # Note that we do not use the binder_* macros here.
 # hwservicemanager provides name service (aka context manager)

public/idmap.te

 # idmap, when executed by installd
 type idmap, domain;
-type idmap_exec, exec_type, file_type;
+type idmap_exec, system_file_type, exec_type, file_type;
 
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;

public/init.te

@@ -2,7 +2,7 @@
 type init, domain, mlstrustedsubject;
 
 # The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
+type init_exec, system_file_type, exec_type, file_type;
 
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
@@ -147,7 +147,7 @@ allow init {
   -nativetest_data_file
   -privapp_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
 }:dir { create search getattr open read setattr ioctl };
 
@@ -161,7 +161,7 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
@@ -177,7 +177,7 @@ allow init {
   -runtime_event_log_tags_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
@@ -192,7 +192,7 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -207,14 +207,14 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 # does init really need to relabel app data?
 userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };

public/inputflinger.te

 # inputflinger
 type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
+type inputflinger_exec, system_file_type, exec_type, file_type;
 
 binder_use(inputflinger)
 binder_service(inputflinger)

public/install_recovery.te

 # service flash_recovery in init.rc
 type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
+type install_recovery_exec, system_file_type, exec_type, file_type;
 
 allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
 

public/installd.te

 # installer daemon
 type installd, domain;
-type installd_exec, exec_type, file_type;
+type installd_exec, system_file_type, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
 allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
 

public/keystore.te

 type keystore, domain;
-type keystore_exec, exec_type, file_type;
+type keystore_exec, system_file_type, exec_type, file_type;
 
 # keystore daemon
 typeattribute keystore mlstrustedsubject;

public/llkd.te

 # llkd Live LocK Daemon
 type llkd, domain, mlstrustedsubject;
-type llkd_exec, exec_type, file_type;
+type llkd_exec, system_file_type, exec_type, file_type;

public/lmkd.te

 # lmkd low memory killer daemon
 type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
+type lmkd_exec, system_file_type, exec_type, file_type;
 
 allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
 

public/logd.te

 # android user-space log manager
 type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
+type logd_exec, system_file_type, exec_type, file_type;
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)

public/mediadrmserver.te

 # mediadrmserver - mediadrm daemon
 type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediadrmserver mlstrustedsubject;
 

public/mediaextractor.te

 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediaextractor mlstrustedsubject;
 

public/mediametrics.te

 # mediametrics - daemon for collecting media.metrics data
 type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
+type mediametrics_exec, system_file_type, exec_type, file_type;
 
 
 binder_use(mediametrics)

public/mediaserver.te

 # mediaserver - multimedia daemon
 type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
+type mediaserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
 

public/mtp.te

 # vpn tunneling protocol manager
 type mtp, domain;
-type mtp_exec, exec_type, file_type;
+type mtp_exec, system_file_type, exec_type, file_type;
 
 net_domain(mtp)
 

public/netd.te

 # network manager
 type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
+type netd_exec, system_file_type, exec_type, file_type;
 
 net_domain(netd)
 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.

public/netutils_wrapper.te

 type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
 
 neverallow domain netutils_wrapper_exec:file execute_no_trans;

public/otapreopt_chroot.te

 # otapreopt_chroot executable
 type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
 
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.

public/otapreopt_slot.te

@@ -4,7 +4,7 @@
 # from /data/ota to /data/dalvik-cache.
 
 type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
 
 
 # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up

public/performanced.te

 # performanced
 type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
+type performanced_exec, system_file_type, exec_type, file_type;
 
 # Needed to check for app permissions.
 binder_use(performanced)