Introduce system_file_type

system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

public/update_verifier.te

 # update_verifier
 type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
+type update_verifier_exec, system_file_type, exec_type, file_type;
 
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;

public/usbd.te

 type usbd, domain;
-type usbd_exec, exec_type, file_type;
+type usbd_exec, system_file_type, exec_type, file_type;
 
 # Start/stop adbd via ctl.start adbd
 set_prop(usbd, ctl_adbd_prop)

public/vdc.te

@@ -6,7 +6,7 @@
 # collecting bug reports.
 
 type vdc, domain;
-type vdc_exec, exec_type, file_type;
+type vdc_exec, system_file_type, exec_type, file_type;
 
 # vdc can be invoked with logwrapper, so let it write to pty
 allow vdc devpts:chr_file rw_file_perms;

public/vendor_init.te

@@ -41,7 +41,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -mnt_product_file
   -unlabeled
   -vendor_file_type
@@ -53,7 +53,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -runtime_event_log_tags_file
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -63,7 +63,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -73,7 +73,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -84,7 +84,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -mnt_product_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_metadata_file
 }:dir_file_class_set relabelto;
@@ -175,6 +175,9 @@ not_compatible_property(`
     })
 ')
 
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_audio_prop)

public/virtual_touchpad.te

 type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
+type virtual_touchpad_exec, system_file_type, exec_type, file_type;
 
 binder_use(virtual_touchpad)
 binder_service(virtual_touchpad)

public/vold.te

 # volume manager
 type vold, domain;
-type vold_exec, exec_type, file_type;
+type vold_exec, exec_type, file_type, system_file_type;
 
 # Read already opened /cache files.
 allow vold cache_file:dir r_dir_perms;

public/vold_prepare_subdirs.te

 # SELinux directory creation and labelling for vold-managed directories
 
 type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, exec_type, file_type;
+type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
 
 typeattribute vold_prepare_subdirs coredomain;

public/vr_hwc.te

 type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
+type vr_hwc_exec, system_file_type, exec_type, file_type;
 
 # Get buffer metadata.
 hal_client_domain(vr_hwc, hal_graphics_allocator)

public/watchdogd.te

 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-type watchdogd_exec, exec_type, file_type;
+type watchdogd_exec, system_file_type, exec_type, file_type;
 
 allow watchdogd watchdog_device:chr_file rw_file_perms;
 allow watchdogd kmsg_device:chr_file rw_file_perms;

public/wificond.te

 # wificond
 type wificond, domain;
-type wificond_exec, exec_type, file_type;
+type wificond_exec, system_file_type, exec_type, file_type;
 
 binder_use(wificond)
 binder_call(wificond, system_server)

public/wpantund.te

 type wpantund, domain;
-type wpantund_exec, exec_type, file_type;
+type wpantund_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(wpantund, hal_lowpan)
 net_domain(wpantund)

public/zygote.te

 # zygote
 type zygote, domain;
-type zygote_exec, exec_type, file_type;
+type zygote_exec, system_file_type, exec_type, file_type;

tests/sepolicy_tests.py

@@ -11,6 +11,9 @@ import sys
 def TestDataTypeViolations(pol):
     return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
 
+# def TestSystemTypeViolations(pol):
+#     return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+
 def TestProcTypeViolations(pol):
     return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
 
@@ -55,6 +58,7 @@ Tests = [
     "TestDataTypeViolators",
     "TestProcTypeViolations",
     "TestSysfsTypeViolations",
+    # "TestSystemTypeViolators",
     "TestDebugfsTypeViolations",
     "TestVendorTypeViolations",
     "TestCoreDataTypeViolations",
@@ -103,6 +107,8 @@ if __name__ == '__main__':
         results += TestProcTypeViolations(pol)
     if options.test is None or "TestSysfsTypeViolations" in options.test:
         results += TestSysfsTypeViolations(pol)
+    # if options.test is None or "TestSystemTypeViolations" in options.test:
+    #     results += TestSystemTypeViolations(pol)
     if options.test is None or "TestDebugfsTypeViolations" in options.test:
         results += TestDebugfsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test: