Allow init to execute /sbin/slideshow

Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0

domain.te

@@ -180,7 +180,7 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;

init.te

@@ -140,6 +140,7 @@ allow init sysfs_type:file w_file_perms;
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
 domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
 recovery_only(`
   domain_trans(init, rootfs, recovery)
 ')

slideshow.te

@@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+