Add support for factory reset protection.

Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53

device.te

@@ -65,5 +65,5 @@ type rpmsg_device, dev_type;
 # Partition layout block device
 type root_block_device, dev_type;
 
-# Persistent data block device
-type persistent_data_block_device, dev_type;
+# factory reset protection block device
+type frp_block_device, dev_type;

domain.te

@@ -307,3 +307,5 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # New service_types are defined in service.te and new mappings
 # from service name to service_type are defined in service_contexts.
 neverallow domain default_android_service:service_manager add;
+
+neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;

system_server.te

@@ -382,10 +382,10 @@ allow system_server keystore:keystore_key {
 	password_uid
 };
 
-# Allow system server to search and write to the persistent data block device
-# This block device does not get wiped in a factory reset.
-allow system_server persistent_data_block_device:blk_file rw_file_perms;
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };