Block SDK 28 app from using proc/net/xt_qtaguid

The file under /proc/net/xt_qtaguid is going away in future release.
Apps should use the provided public api instead of directly reading the
proc file. This change will block apps that based on SDK 28 or above to
directly read that file and we will delete that file after apps move
away from it.

Test: Flashed with master branch on marlin, verified phone boot, can
      browse web, watch youtube video, make phone call and use google
      map for navigation with wifi on and off.
      run cts -m CtsNetTestCases -t android.net.cts.TrafficStatsTest
      run cts -m CtsAppSecurityHostTestCases -t \
      		android.appsecurity.cts.AppSecurityTests

Change-Id: I4c4d6c9ab28b426acef23db53f171de8f20be1dc
(cherry picked from commit 5ec8f843)

public/app.te

@@ -170,14 +170,38 @@ userdebug_or_eng(`
 ')
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_proc:file rw_file_perms;
 r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
+r_dir_file({
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+}, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
+allow {
+    untrusted_app_25
+    untrusted_app_27
+    ephemeral_app
+    priv_app
+    system_app
+    platform_app
+    shell
+} qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.