More granular vendor access to /system files.

This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4f3546b..c9f09b9 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -652,7 +652,13 @@
   ( system_data_file
     dropbox_data_file
     vendor_data_file))
-(typeattributeset system_file_26_0 (system_file))
+(typeattributeset system_file_26_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
 (typeattributeset system_prop_26_0 (system_prop))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index d99b499..c596d3f 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1369,7 +1369,13 @@
   ( system_data_file
     dropbox_data_file
     vendor_data_file))
-(typeattributeset system_file_27_0 (system_file))
+(typeattributeset system_file_27_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index c69a111..2348b19 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1567,7 +1567,13 @@
 (typeattributeset system_data_file_28_0
   ( dropbox_data_file
     system_data_file))
-(typeattributeset system_file_28_0 (system_file))
+(typeattributeset system_file_28_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))
diff --git a/private/file_contexts b/private/file_contexts
index 61eab1d..d26f17a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -186,6 +186,7 @@
 # System files
 #
 /system(/.*)?		u:object_r:system_file:s0
+/system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
@@ -249,6 +250,7 @@
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
+/system/bin/linker(_asan)?(64)? u:object_r:system_linker_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0
@@ -281,6 +283,9 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
+/system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
@@ -439,6 +444,7 @@
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0