Statsd allow shell in selinux policy

CTS tests need to be able to call, from hostside:
adb shell cmd stats dump-report (and others)
On a user build, this will fail because of an selinux policy violation
from shell. This cl fixes this by granting shell permission.

Similarly, Settings needs to communicate with statsd, so
system_app-statsd binder calls are given permission.

Bug: 72961153
Bug: 73255014
Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests
Test: manual confirmation
Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02

private/shell.te

@@ -45,6 +45,9 @@ domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
 # when exec()-d by statsd.
 domain_auto_trans(shell, perfetto_exec, perfetto)
 
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
 # Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
 allow shell perfetto_traces_data_file:dir rw_dir_perms;
 allow shell perfetto_traces_data_file:file r_file_perms;

private/statsd.te

@@ -72,6 +72,11 @@ binder_call(statsd, stats)
 allow statsd proc_uid_cputime_showstat:file { getattr open read };
 hal_client_domain(statsd, hal_power)
 
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { read write };
+
+
 ###
 ### neverallow rules
 ###

private/system_app.te

@@ -58,6 +58,9 @@ allow system_app anr_data_file:file create_file_perms;
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
 # Allow system apps to interact with incidentd
 binder_call(system_app, incidentd)