system_server: assert app data files never opened directly

Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.

This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700

Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d

system_server.te

@@ -405,3 +405,10 @@ allow system_server oemfs:dir search;
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the system_server.
 neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be opening zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;