label boot animations on oem with bootanim_oem_file

Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.

Also allow mediaserver and app to read this new label as they can access
/oem/media folder.

Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb

contexts/plat_file_contexts_test

@@ -653,6 +653,9 @@
 
 /oem                                                              oemfs
 /oem/does_not_exist                                               oemfs
+/oem/media/bootanimation.zip                                      bootanim_oem_file
+/oem/media/shutdownanimation.zip                                  bootanim_oem_file
+/oem/media/userspace-reboot.zip                                   bootanim_oem_file
 /oem/overlay                                                      vendor_overlay_file
 /oem/overlay/does_not_exist                                       vendor_overlay_file
 

private/compat/34.0/34.0.cil

@@ -2099,7 +2099,7 @@
 (typeattributeset null_device_34_0 (null_device))
 (typeattributeset oem_lock_service_34_0 (oem_lock_service))
 (typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
-(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset oemfs_34_0 (oemfs bootanim_oem_file))
 (typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
 (typeattributeset ota_data_file_34_0 (ota_data_file))
 (typeattributeset ota_metadata_file_34_0 (ota_metadata_file))

private/file_contexts

@@ -457,6 +457,9 @@
 
 /oem(/.*)?              u:object_r:oemfs:s0
 /oem/overlay(/.*)?      u:object_r:vendor_overlay_file:s0
+/oem/media/bootanimation.zip            u:object_r:bootanim_oem_file:s0
+/oem/media/shutdownanimation.zip        u:object_r:bootanim_oem_file:s0
+/oem/media/userspace-reboot.zip         u:object_r:bootanim_oem_file:s0
 
 # The precompiled monolithic sepolicy will be under /odm only when
 # BOARD_USES_ODMIMAGE is true: a separate odm.img is built.

private/mediaprovider_app.te

@@ -73,3 +73,6 @@ dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
 # bpfprog access for FUSE BPF
 allow mediaprovider_app fs_bpf:file read;
 allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
+
+# boot animations on oem are stored with specific label
+allow mediaprovider_app bootanim_oem_file:file r_file_perms;

public/bootanim.te

@@ -17,7 +17,9 @@ allow bootanim gpu_device:dir r_dir_perms;
 allow bootanim sysfs_gpu:file r_file_perms;
 
 # /oem access
-r_dir_file(bootanim, oemfs);
+allow bootanim oemfs:dir r_dir_perms;
+# boot animations on oem are stored with specific label
+allow bootanim bootanim_oem_file:file r_file_perms;
 
 allow bootanim audio_device:dir r_dir_perms;
 allow bootanim audio_device:chr_file rw_file_perms;

public/file.te

@@ -229,6 +229,8 @@ type art_apex_dir, system_file_type, file_type;
 type linkerconfig_file, file_type;
 # Control files under /data/incremental
 type incremental_control_file, file_type, data_file_type, core_data_file_type;
+# /oem/media/bootanimation.zip|shutdownanimation.zip|userspace-reboot.zip
+type bootanim_oem_file, file_type, system_file_type;
 
 # Default type for directories search for
 # HAL implementations

public/mediaserver.te

@@ -98,6 +98,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /oem boot animation file
+allow mediaserver bootanim_oem_file:file r_file_perms;
+
 # /vendor apk access
 allow mediaserver vendor_app_file:file { read map getattr };