Add policy for command line tool to control MTE boot state.

Bug: 206895651

(cherry picked from commit 23173455ab)
(we need this cherry picked on android12-tests-dev to allow OEMs to
backport the associated feature without violating the neverallow
CTS)

Merged-In: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16
Change-Id: I2e84193668dcdf24bde1c7e12b3cfd8a03954a16

private/compat/30.0/30.0.ignore.cil

@@ -86,6 +86,7 @@
     memtrackproxy_service
     mm_events_config_prop
     music_recognition_service
+    mtectrl
     nfc_logs_data_file
     odrefresh
     odrefresh_exec

private/file_contexts

@@ -304,6 +304,7 @@
 /system/bin/lpdumpd        u:object_r:lpdumpd_exec:s0
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
+/system/bin/mtectrl         u:object_r:mtectrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0

private/mtectrl.te

@@ -0,0 +1,9 @@
+# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mtectrl)
+
+# mtectrl communicates the request to the bootloader via the misc partition.
+allow mtectrl misc_block_device:blk_file w_file_perms;
+allow mtectrl block_device:dir r_dir_perms;
+read_fstab(mtectrl)

public/domain.te

@@ -627,6 +627,7 @@ neverallow {
   -vold
   -recovery
   -ueventd
+  -mtectrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager

public/mtectrl.te

@@ -0,0 +1 @@
+type mtectrl, domain, coredomain;