Add policy for command line tool to control MTE boot state. am: 949e1d0a76

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1956657

Change-Id: Ifcbb6e9278bb357e2b691f60dfc4ce97f0f82220
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/compat/30.0/30.0.ignore.cil

@@ -87,6 +87,7 @@
     memtrackproxy_service
     mm_events_config_prop
     music_recognition_service
+    mtectrl
     nfc_logs_data_file
     odrefresh
     odrefresh_exec

private/file_contexts

@@ -304,6 +304,7 @@
 /system/bin/lpdumpd        u:object_r:lpdumpd_exec:s0
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
+/system/bin/mtectrl         u:object_r:mtectrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0

private/mtectrl.te

@@ -0,0 +1,9 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)

public/domain.te

@@ -627,6 +627,7 @@ neverallow {
   -vold
   -recovery
   -ueventd
+  -mtectrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager

public/mtectrl.te

@@ -0,0 +1 @@
+type mtectrl, domain, coredomain;