Merge changes from topic "diced"

* changes:
  Allow microdroid_manager to talk to diced
  Make servicemanager and diced bootstrap processes

microdroid/system/private/diced.te

@@ -15,3 +15,7 @@ add_service(diced, dice_maintenance_service)
 
 # diced can check SELinux permissions.
 selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+allow diced system_bootstrap_lib_file:dir r_dir_perms;
+allow diced system_bootstrap_lib_file:file { execute read open getattr map };

microdroid/system/private/file_contexts

@@ -106,8 +106,8 @@
 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced		u:object_r:diced_exec:s0
-/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
+/system/bin/diced.microdroid		u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid	u:object_r:servicemanager_exec:s0
 /system/bin/hwservicemanager	u:object_r:hwservicemanager_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 /system/bin/keystore2	u:object_r:keystore_exec:s0

microdroid/system/private/microdroid_manager.te

@@ -41,6 +41,12 @@ allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
 allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
 
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
+
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;

microdroid/system/private/servicemanager.te

@@ -25,3 +25,7 @@ allow servicemanager vendor_service_contexts_file:file r_file_perms;
 add_service(servicemanager, service_manager_service)
 
 set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+allow servicemanager system_bootstrap_lib_file:dir r_dir_perms;
+allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map };