atv: Label and allow mediashell_app what it needs

* ATV GMS does this, so we're gonna have to as well.

Change-Id: I0d4fecfad032b0a14a215fa4ddf2e994a9df0c70

atv/private/certs/mediashell/mediashell-release.x509.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIJAOkFRFkrhFCCMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
+aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDETMBEG
+A1UEAwwKbWVkaWFzaGVsbDAeFw0xNDA1MjcwNDM0MDBaFw00MTEwMTIwNDM0MDBa
+MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5k
+cm9pZDETMBEGA1UEAwwKbWVkaWFzaGVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANB1m2sXKkhJKtXukj5yfutgIqzYCLtXDEWXQ9qbQ8Rh5ediHJ0F
+Cl3nopi9DwwCYP+Ok+Jygl3YSEiBJBoG7pJmrCv94Z/eDYoJRZ1Xy8cibmWNlL8p
+HQ/lLajRUpJnkzfsag4uN/mzztOc09nlsAmqWYjbIVbIyiN1tBxm9jkKLQ4OmEnB
+eHQJn8DZJV+YmMvFWRIbhk+V8p6L4i2x4nQaAJjaSVn0YZdurQ4SbZOXwEtl8Jjv
+D7xCetSdMs9P7006ZGDKxJX3cljqLei9ikC/B/M/YF19V2a+eiHynkonLKpYpTlc
+zf8mfQvU8n5Efy3JvMRKFGRXp4o6Sr0hX3cCAwEAAaNQME4wHQYDVR0OBBYEFLPM
+RCrb6DZ48IJbNHE0rGMeYCCTMB8GA1UdIwQYMBaAFLPMRCrb6DZ48IJbNHE0rGMe
+YCCTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJaHK/mYG3Hp6O4C
+W1XpPOKoUhcloaoZEELvrTa4KaDJGycf4/tpmUQzE2f6piaBpJLiKB3spd/M3QPG
+Qqrxe3Tcfyb8hV5QvU9M4uKLG2v77Osb3ZiYcOX/yFv+f7JBGUQnM/TQ2k1jPF6+
+5YWDCh+GFD9Fo8/OQK7QYX/VKwe5Yrxm0ZhfPtT51sZIshE4yp6B+pn+kXb03Lvl
+IqJsLtUIprcJ4Vd/KlCvU9EGgToXMb0XhoZpW0fZh6E0IWeBLgxwHMrOthZnNS5J
+YcEM10pENnkrkjZONbMQoF8rFLJoc2JLN+hpOhy07TNvVuHYIHrpArM+OQ5RspfK
+NEAinIU=
+-----END CERTIFICATE-----

atv/private/keys.conf

@@ -0,0 +1,2 @@
+[@MEDIASHELL]
+ALL : device/lineage/sepolicy/atv/private/certs/mediashell/mediashell-release.x509.pem

atv/private/mac_permissions.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+    <signer signature="@MEDIASHELL" >
+      <seinfo value="mediashell" />
+    </signer>
+</policy>
+

atv/private/mediashell_app.te

@@ -0,0 +1,28 @@
+type mediashell_app, domain, coredomain;
+
+app_domain(mediashell_app);
+bluetooth_domain(mediashell_app);
+net_domain(mediashell_app);
+
+userdebug_or_eng(`
+   allow mediashell_app shell_data_file:file r_file_perms;
+   allow mediashell_app shell_data_file:dir r_dir_perms;
+')
+
+allow mediashell_app audioserver:fifo_file { write };
+
+allow mediashell_app app_api_service:service_manager find;
+allow mediashell_app audioserver_service:service_manager find;
+allow mediashell_app cameraserver_service:service_manager find;
+allow mediashell_app drmserver_service:service_manager find;
+allow mediashell_app mediadrmserver_service:service_manager find;
+allow mediashell_app mediaextractor_service:service_manager find;
+allow mediashell_app mediametrics_service:service_manager find;
+allow mediashell_app mediaserver_service:service_manager find;
+allow mediashell_app network_watchlist_service:service_manager find;
+allow mediashell_app nfc_service:service_manager find;
+allow mediashell_app radio_service:service_manager find;
+allow mediashell_app system_api_service:service_manager find;
+
+allow mediashell_app self:process ptrace;
+allow mediashell_app self:process ptrace;

atv/private/seapp_contexts

@@ -0,0 +1 @@
+user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell type=app_data_file levelFrom=all

atv/sepolicy.mk

@@ -7,3 +7,6 @@ ifneq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
 BOARD_SEPOLICY_DIRS += \
     device/lineage/sepolicy/atv/vendor
 endif
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += \
+   device/lineage/sepolicy/atv/private