sepolicy: ashmem entry point for libcutils

This duplicated ashmem device is intended to replace ashmemd.

Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.

Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954

private/compat/29.0/29.0.ignore.cil

@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    ashmem_libcutils_device
     boringssl_self_test
     charger_prop
     cold_boot_done_prop

private/file_contexts

@@ -75,6 +75,7 @@
 /dev/adf-interface[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
 /dev/adf-overlay-engine[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
 /dev/ashmem		u:object_r:ashmem_device:s0
+/dev/ashmem(.*)?	u:object_r:ashmem_libcutils_device:s0
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0

public/device.te

@@ -1,6 +1,7 @@
 # Device types
 type device, dev_type, fs_type;
 type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;

public/domain.te

@@ -80,6 +80,9 @@ allow {
   -untrusted_app_all
 } ashmem_device:chr_file rw_file_perms;
 
+# This device is used by libcutils.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
+
 # Allow using fds to /dev/ashmem.
 allow domain ashmem_server:fd use;
 

vendor/hal_sensors_default.te

@@ -17,3 +17,6 @@ allow hal_sensors_default ion_device:chr_file r_file_perms;
 # allow sensor hal to use lock for keeping system awake for wake up
 # events delivery.
 wakelock_use(hal_sensors_default);
+
+# allow sensor hal to use ashmem fd from system_server.
+allow hal_sensors_default system_server:fd use;