Fix pid_max denials from dumpstate, incidentd

The dumpstate and incidentd contexts may call on to toybox tools like
"ps" and "top" which are now reading /proc/sys/kernel/pid_max.

Fixes denials like:

avc: denied { read } for comm="top" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

avc: denied { read } for comm="ps" name="pid_max" dev="proc" ino=125433
scontext=u:r:incidentd:s0 tcontext=u:object_r:proc_pid_max:s0
tclass=file permissive=0

Bug: 171070708
Bug: 172703374
Bug: 174618269
Change-Id: Ief5662c6d484e966bd1ba7134eddfabb3f7ad0e4

private/dumpstate.te

@@ -51,7 +51,12 @@ allow dumpstate debugfs_wakeup_sources:file r_file_perms;
 allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 dontaudit dumpstate update_engine:binder call;
-allow dumpstate proc_net_tcp_udp:file r_file_perms;
+
+# Read files in /proc
+allow dumpstate {
+  proc_net_tcp_udp
+  proc_pid_max
+}:file r_file_perms;
 
 # For comminucating with the system process to do confirmation ui.
 binder_call(dumpstate, incidentcompanion_service)

private/incidentd.te

@@ -67,6 +67,7 @@ allow incidentd hidl_manager_hwservice:hwservice_manager { find };
 # Read files in /proc
 allow incidentd {
   proc_cmdline
+  proc_pid_max
   proc_pipe_conf
   proc_stat
 }:file r_file_perms;