fs_mgr: overlayfs support legacy devices (marlin) Part Deux

On legacy devices system_<other> partition is blocked from
becoming the backing store under certain circumstances.

Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 120448575
Bug: 123079041
Change-Id: I1803f072ca21bc116554eee1d01a1dbd2c9ed0c9

public/domain.te

@@ -608,6 +608,8 @@ neverallow {
 neverallow {
   domain
   -fastbootd
+  userdebug_or_eng(`-fsck')
+  userdebug_or_eng(`-init')
   -recovery
   -update_engine
 } system_block_device:blk_file { write append };

public/fsck.te

@@ -18,6 +18,9 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
 
 # For the block devices where we have ioctl access,
 # allow at a minimum the following common fsck ioctls.
@@ -55,6 +58,7 @@ neverallow fsck {
   root_block_device
   swap_block_device
   system_block_device
+  userdebug_or_eng(`-system_block_device')
   vold_device
 }:blk_file no_rw_file_perms;
 

public/init.te

@@ -317,6 +317,8 @@ allow init proc_filesystems:file r_file_perms;
 userdebug_or_eng(`
   # Overlayfs workdir write access check during mount to permit remount,rw
   allow init overlayfs_file:dir { relabelfrom mounton write };
+  allow init overlayfs_file:file { append };
+  allow init system_block_device:blk_file { write };
 ')
 
 allow init {