Add appcompat override files and contexts to SELinux

This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434

contexts/plat_file_contexts_test

@@ -280,6 +280,8 @@
 /dev/zero                                                         zero_device
 /dev/__properties__                                               properties_device
 /dev/__properties__/property_info                                 property_info
+/dev/__properties__/appcompat_override                            properties_device
+/dev/__properties__/appcompat_override/property_info              property_info
 
 /linkerconfig                                                     linkerconfig_file
 /linkerconfig/test                                                linkerconfig_file

microdroid/system/private/file_contexts

@@ -72,7 +72,9 @@
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #

microdroid/system/private/init.te

@@ -32,11 +32,11 @@ allow init {
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/socket

private/app_zygote.te

@@ -34,6 +34,8 @@ allow app_zygote system_server:process getpgid;
 # Interaction between the app_zygote and its children.
 allow app_zygote isolated_app:process setpgid;
 
+allow app_zygote properties_device:dir mounton;
+
 # TODO (b/63631799) fix this access
 dontaudit app_zygote mnt_expand_file:dir getattr;
 

private/file_contexts

@@ -200,7 +200,9 @@
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #

private/webview_zygote.te

@@ -83,6 +83,8 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
 
 allow webview_zygote system_data_file:lnk_file r_file_perms;
 
+allow webview_zygote properties_device:dir mounton;
+
 # Send unsolicited message to system_server
 unix_socket_send(webview_zygote, system_unsolzygote, system_server)
 

private/zygote.te

@@ -76,6 +76,8 @@ allow zygote {
     user_profile_data_file
     # /storage/emulated/$userId/Android/{data,obb}
     media_rw_data_file
+    # /dev/__properties__
+    properties_device
 }:dir { mounton search };
 
 # Traverse /data_mirror to get to the above directories while their normal paths

public/init.te

@@ -26,7 +26,7 @@ userdebug_or_eng(`
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/event-log-tags