Add chre policy

Bug: 260522435
Bug: 261105224
Test: boot-to-home
Change-Id: Icd8f1ad497357bbbcb9e34509c736f3976ff0ac7

tracking_denials/chre.te

@@ -1,17 +1,6 @@
-# b/260522435
-dontaudit chre aoc_device:chr_file { getattr };
-dontaudit chre aoc_device:chr_file { open };
-dontaudit chre aoc_device:chr_file { read write };
-dontaudit chre chre:capability2 { block_suspend };
-dontaudit chre device:dir { read };
-dontaudit chre device:dir { watch };
 # b/261105224
 dontaudit chre hal_system_suspend_service:service_manager { find };
 dontaudit chre servicemanager:binder { call };
-dontaudit chre sysfs_aoc:dir { search };
-dontaudit chre sysfs_aoc_boottime:file { getattr };
-dontaudit chre sysfs_aoc_boottime:file { open };
-dontaudit chre sysfs_aoc_boottime:file { read };
 dontaudit chre system_suspend_server:binder { call };
 # b/264489633
 userdebug_or_eng(`

vendor/chre.te

@@ -2,3 +2,15 @@ type chre, domain;
 type chre_exec, vendor_file_type, exec_type, file_type;
 init_daemon_domain(chre)
 
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use WakeLock
+wakelock_use(chre)