Add charger_vendor type

This is the context when health HAL runs in offline
charging mode.

This has the same permissions as the health HAL, but
is also able to do charger specific things.

Also restrict neverallow rules in charger_type.

Test: manual in offline charging mode
Bug: 203246116
Change-Id: I6034853c113dff95b26461153501ad0528d10279

private/charger_type.te

@@ -15,18 +15,18 @@ neverallow {
     -vendor_init
 } charger_config_prop:property_service set;
 
-# charger_status_prop: Only init, vendor_init, charger, and hal_health_server
+# charger_status_prop: Only init, vendor_init, charger, and charger_vendor
 # are allowed to set it
 neverallow {
     domain
     -init
     -vendor_init
     -charger
-    -hal_health_server
+    -charger_vendor
 } charger_status_prop:property_service set;
 
 # Both charger_config_prop and charger_status_prop:
-# Only init, vendor_init, dumpstate, charger, and hal_health_server
+# Only init, vendor_init, dumpstate, charger, and charger_vendor
 # are allowed to read it
 neverallow {
     domain
@@ -34,5 +34,5 @@ neverallow {
     -dumpstate
     -vendor_init
     -charger
-    -hal_health_server
+    -charger_vendor
 } { charger_config_prop charger_status_prop }:file no_rw_file_perms;

private/compat/32.0/32.0.ignore.cil

@@ -8,6 +8,7 @@
     apexd_select_prop
     artd_service
     attestation_verification_service
+    charger_vendor
     device_config_nnapi_native_prop
     dice_maintenance_service
     dice_node_service

public/charger_vendor.te

@@ -0,0 +1,4 @@
+# Context when health HAL runs charger mode
+
+type charger_vendor, charger_type, domain;
+hal_server_domain(charger_vendor, hal_health)

vendor/hal_health_default.te

@@ -4,3 +4,7 @@ hal_server_domain(hal_health_default, hal_health)
 
 type hal_health_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_health_default)
+
+# When executing the service in offline-charging mode,
+# allow to transition to charger_vendor domain.
+domain_trans(init, hal_health_default_exec, charger_vendor)