Compatibility for vendor_hidraw_device

Older vendor policy may apply the label vendor_hidraw_device to the
HID device.

From 202404 we use the new label hidraw_device for this.

Fix the compatibility rules to allow new system policy to work with
older vendor policy by adding specific compat logic.

Note that the original 34.0 system policy didn't mention hidraw_device
at all, so the more normal compatibility mechanisms don't really work.

Bug: 340923653
Test: Builds, boots, no new denials
Change-Id: I358118b217c82b5f8111f3e05d35aa16c464b941

private/compat/34.0/34.0.compat.cil

@@ -1,3 +1,17 @@
 ;; complement CIL file for compatibility between ToT policy and 34.0 vendors.
 ;; will be compiled along with other normal policy files, on 34.0 vendors.
 ;;
+
+;; This type may or may not already exist in vendor policy. The 202404 sepolicy
+;; (well, the 24Q1 release) added hidraw_device, but existing vendor policy
+;; may still label the relevant devices with the old label.
+;;
+;; Re-define it here (duplicate definitions in CIL will be ignored) - so we can
+;; duplicate the new policy for the old label to keep things working.
+;; (Doing this in 34.0.cil ended up being too messy.)
+;; See b/340923653.
+(type vendor_hidraw_device)
+(typeattributeset dev_type (vendor_hidraw_device))
+
+(allow system_server vendor_hidraw_device (dir (open getattr read search ioctl lock watch watch_reads)))
+(allow system_server vendor_hidraw_device (chr_file (getattr open read ioctl lock map watch watch_reads append write)))