Add policy for qxdmlogger.

qxdmlogger is a debug app running as platform app which scrapes info
from across the device and dumps it to diag_logs.  Enable this only on
non-user builds.

Address the following denials:
[  554.957885] type=1400 audit(2652806.799:128): avc: denied { write } for pid=5725 comm="roid.qxdmlogger" name="diag_logs" dev="dm-0" ino=1474561 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
[  141.358889] type=1400 audit(2653800.059:606): avc: denied { open } for pid=8370 comm="diag_mdlog" path="/dev/diag" dev="tmpfs" ino=11690 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
[  141.379858] type=1400 audit(2653800.059:607): avc: denied { ioctl } for pid=8370 comm="diag_mdlog" path="/dev/diag" dev="tmpfs" ino=11690 ioctlcmd=20 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:diag_device:s0 tclass=chr_file permissive=1
[  121.841156] type=1400 audit(2653780.679:152): avc: denied { write } for pid=7666 comm="roid.qxdmlogger" name="diag_logs" dev="dm-0" ino=1474561 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
[  121.862172] type=1400 audit(2653780.679:153): avc: denied { add_name } for pid=7666 comm="roid.qxdmlogger" name="rundiag" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
[  121.882755] type=1400 audit(2653780.679:154): avc: denied { create } for pid=7666 comm="roid.qxdmlogger" name="rundiag" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=file permissive=1
[  121.902750] type=1400 audit(2653780.699:155): avc: denied { write } for pid=7666 comm="roid.qxdmlogger" path="/data/diag_logs/rundiag" dev="dm-0" ino=1474562 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0:c512,c768 tclass=file permissive=1

In addition to the following combination for every domain:
[  121.964477] type=1400 audit(2653780.749:157): avc: denied { getattr } for pid=7687 comm="ps" path="/proc/1" dev="proc" ino=11422 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=dir permissive=1
[  121.982978] type=1400 audit(2653780.749:158): avc: denied { search } for pid=7687 comm="ps" name="1" dev="proc" ino=11422 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=dir permissive=1
[  122.001995] type=1400 audit(2653780.749:159): avc: denied { read } for pid=7687 comm="ps" name="cmdline" dev="proc" ino=16986 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=file permissive=1
[  122.020045] type=1400 audit(2653780.749:160): avc: denied { open } for pid=7687 comm="ps" path="/proc/1/cmdline" dev="proc" ino=16986 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=file permissive=1

Bug: 23114211
Change-Id: Ieb6a1547b7de91624d3a70149127419a7e927e04
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 640d3a0..15a3f2e 100755
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,4 +1,4 @@
-type diag_device, dev_type;
+type diag_device, dev_type, mlstrustedobject;
 type dpl_device, dev_type;
 type drm_block_device, dev_type;
 type media_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 8a642d4..750890a 100755
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,5 @@
 type cnd_socket, file_type;
+type diag_logs, file_type, data_file_type, mlstrustedobject;
 
 # Default type for anything under /firmware
 type firmware_file, fs_type, contextmount_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 211324f..9f778c5 100755
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -122,6 +122,7 @@
 /vendor/bin/slim_daemon          u:object_r:location_exec:s0
 
 # Data files
+/data/diag_logs(/.*)?            u:object_r:diag_logs:s0
 /data/fpc(/.*)?                  u:object_r:fingerprintd_data_file:s0
 /data/misc/perfd(/.*)?           u:object_r:perfd_data_file:s0
 /data/misc/radio(/.*)?           u:object_r:radio_data_file:s0
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..867c632
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+   # qxdmlogger rundiag perms
+   allow platform_app diag_logs:dir rw_dir_perms;
+   allow platform_app diag_logs:file create_file_perms;
+   allow platform_app diag_device:chr_file rw_file_perms;
+')
\ No newline at end of file