Set up access control rule for aocxd

avc:
12-25 14:34:43.292  root  7005  7005 W binder:7005_1: type=1400 audit(0.0:23): avc:  denied  { call } for  scontext=u:r:aocxd:s0 tcontext=u:r:aocxdallowdomain:s0:c512,c768 tclass=binder permissive=0
11-27 14:56:33.645  1000   422   422 E SELinux : avc:  denied  { find } for pid=7360 uid=10267 name=aocx.IAocx/default scontext=u:r:aocxdallowdomain:s0:c512,c768 tcontext=u:object_r:aocx:s0 tclass=service_manager permissive=0

Test: make -j64
Bug: 385663354
Flag: EXEMPT bugfix
Change-Id: I7888e89710cfb671fb26180f8b2bc3152e1ced89

aoc/aoc.mk

@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    device/google/gs-common/aoc/sepolicy \
+    device/google/gs-common/aoc/sepolicy/allowlist
 
 PRODUCT_PACKAGES += dump_aoc \
 		    aocd \

aoc/sepolicy/allowlist/aocxd_neverallow.te

@@ -0,0 +1,11 @@
+# set up rule to control the access to aocxd
+neverallow {
+  domain
+  -hwservicemanager
+  -servicemanager
+  -vndservicemanager
+  -system_suspend_server
+  -dumpstate
+  -hal_audio_default
+  -aocxdallowdomain
+} aocxd:binder { call transfer };

aoc/sepolicy/allowlist/aocxdallowdomain.te

@@ -0,0 +1,6 @@
+# Aocx AIDL service
+allow aocxdallowdomain aocx:service_manager find;
+
+binder_call(aocxdallowdomain, aocxd)
+# Allow aocxd asynchronous callback to aocxdallowdomain
+binder_call(aocxd, aocxdallowdomain)

aoc/sepolicy/allowlist/attributes

@@ -0,0 +1,2 @@
+# Allow domain to access aocx HAL API
+attribute aocxdallowdomain;