sepolicy: Allow mount cgroupv2 and bpf fs

Some necessary sepolicy rule changes for init process to create directory,
mount cgroupv2 module and mount bpf filesystem. Also allow netd to create
and pin bpf object as files and read it back from file under the
directory where bpf filesystem is mounted.

Test: bpf maps show up under /sys/fs/bpf/
Change-Id: I579d04f60d7e20bd800d970cd28cd39fda9d20a0
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 50d4ee7..ab4a49a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,9 +6,11 @@
   ( adbd_exec
     bootloader_boot_reason_prop
     broadcastradio_service
+    cgroup_bpf
     crossprofileapps_service
     e2fs
     e2fs_exec
+    fs_bpf
     hal_broadcastradio_hwservice
     hal_cas_hwservice
     hal_lowpan_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0cafa4..c07cd4c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -84,6 +84,7 @@
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0