Label /system/usr/share/zoneinfo differently

/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879

private/compat/26.0/26.0.cil

@@ -658,7 +658,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
 (typeattributeset system_prop_26_0 (system_prop))

private/compat/27.0/27.0.cil

@@ -1375,7 +1375,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))

private/compat/28.0/28.0.cil

@@ -1573,7 +1573,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))

private/file_contexts

@@ -296,6 +296,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
 /system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
@@ -445,7 +446,6 @@
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
-/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0

public/domain.te

@@ -221,8 +221,8 @@ allow domain sysfs:lnk_file { getattr read };
 # libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
 # timezone related information.
 # This directory is considered to be a VNDK-stable
-allow domain zoneinfo_data_file:file r_file_perms;
-allow domain zoneinfo_data_file:dir r_dir_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)

public/file.te

@@ -142,6 +142,8 @@ type system_linker_config_file, file_type;
 type system_seccomp_policy_file, file_type;
 # Default type for cacerts in /system/etc/security/cacerts/*.
 type system_security_cacerts_file, file_type;
+# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
+type system_zoneinfo_file, file_type;
 
 # Default type for directories search for
 # HAL implementations