Add widevine SELinux permissions

15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1934): avc:  denied  { call } for  scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_clearkey:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo

15992 15992 I exoplayer2.demo: type=1400 audit(0.0:1935): avc:  denied  { call } for  scontext=u:r:untrusted_app_29:s0:c36,c257,c512,c768 tcontext=u:r:hal_drm_widevine:s0 tclass=binder permissive=1 app=com.google.android.exoplayer2.demo

860   860 I android.hardwar: type=1400 audit(0.0:4302): avc:  denied  { write } for  name="mediadrm" dev="dm-57" ino=2565 scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1

860   860 I android.hardwar: type=1400 audit(0.0:4304): avc:  denied  { create } for  name="IDM1013" scontext=u:r:hal_drm_widevine:s0 tcontext=u:object_r:mediadrm_vendor_data_file:s0 tclass=dir permissive=1

Bug: 363182767
Bug: 363181505

Flag: EXEMPT bugfix

Change-Id: Ia8c3ba3d7fe9f09ceb40fd2b6ae88bbbcf5ac6f6

widevine/sepolicy/hal_drm_clearkey.te

@@ -1,5 +1,6 @@
+# sepolicy for DRM clearkey
 type hal_drm_clearkey, domain;
 type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_clearkey)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_clearkey, hal_drm)

widevine/sepolicy/hal_drm_widevine.te

@@ -1,5 +1,13 @@
+# sepolicy for DRM widevine
 type hal_drm_widevine, domain;
 type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(hal_drm_widevine)
 
-#TODO: snehalreddy@ add sepolicy
+hal_server_domain(hal_drm_widevine, hal_drm)
+
+# L3
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+
+#L1
+#TODO(snehalreddy@) : Add L1 permissions