Add NTFS support in sepolicy.

This CR, when paired with a functional NTFS implementation and the
corresponding vold updates, will allow NTFS USB drives to be mounted
on Android.

Bug: 254407246

Test: Extensive testing with NTFS USB drives.
Change-Id: I259882854ac40783f6d1cf511e8313b1d5a04eef
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index a5d5f98..a58129e 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -22,6 +22,7 @@
     hal_wifi_service
     healthconnect_service
     keystore_config_prop
+    ntfs
     permissive_mte_prop
     prng_seeder
     servicemanager_prop
diff --git a/private/file_contexts b/private/file_contexts
index 4deecf7..72fae62 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -230,6 +230,7 @@
 /system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
 /system/bin/fsck\.exfat	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
+/system/bin/ntfsfix	--	u:object_r:fsck_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6578470..29d8561 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -385,6 +385,7 @@
 genfscon vfat / u:object_r:vfat:s0
 genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
diff --git a/public/file.te b/public/file.te
index eb55210..8d33a9d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 886286e..7d4d150 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,11 +49,11 @@
 # Should never need sdcard access
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:dir ~getattr;
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:file *;
 
 # Do not permit access to service_manager and vndservice_manager