Add a label for payload accessible devices

payload_accessible_device label can be used by microdroid vendor's
file_contexts to allow payloads to access their assigned devices.

Bug: 306313100
Test: put vendor_file_contexts, boot microdroid, see labels
Change-Id: I91aeb3169d14160a2d80587e3eb2e7fde240f804

microdroid/system/private/microdroid_payload.te

@@ -57,6 +57,9 @@ unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
 allow microdroid_payload encryptedstore_file:dir create_dir_perms;
 allow microdroid_payload encryptedstore_file:file create_file_perms;
 
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
 # Never allow microdroid_payload to connect to vsock
 neverallow microdroid_payload self:vsock_socket connect;
 

microdroid/system/public/device.te

@@ -12,6 +12,7 @@ type loop_device, dev_type;
 type null_device, dev_type;
 type open_dice_device, dev_type;
 type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;