Allow codec2 to allocate from system-secure heap

Codec2 clients should have the permission to allocate from the
system-secure DMA-BUF heap for secure playback.

avc: denied { ioctl } for path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
ioctlcmd=0x4800 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm=4E444B204D65646961436F6465635F
name="system-secure" dev="tmpfs" ino=649 scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { open } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
 avc: denied { ioctl } for comm=4E444B204D65646961436F6465635F
path="/dev/dma_heap/system-secure" dev="tmpfs" ino=649 ioctlcmd=0x4800
scontext=u:r:system_server:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for name="system-secure" dev="tmpfs" ino=649
scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for
comm=4E444B204D65646961436F6465635F name="system-secure" dev="tmpfs" ino=649
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1 app=com.android.systemui 0:145):
 avc: denied { open } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { ioctl } for
comm=4E444B204D65646961436F6465635F path="/dev/dma_heap/system-secure"
dev="tmpfs" ino=649 ioctlcmd=0x4800 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_system_secure_heap_device:s0 tclass=chr_file
permissive=1

Bug: 172527615
Test: manual
Change-Id: I465e5fcd660bb548e93d683e9d20cace7421ed2d

private/system_server.te

@@ -927,6 +927,8 @@ allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+# Access to /dev/dma_heap/system-secure
+allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)

public/app.te

@@ -310,6 +310,7 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
 allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
 # Allow AAudio apps to use shared memory file descriptors from the HAL
 allow { appdomain -isolated_app } hal_audio:fd use;

public/mediaserver.te

@@ -120,6 +120,7 @@ allow mediaserver preloads_media_file:file { getattr read ioctl };
 
 allow mediaserver ion_device:chr_file r_file_perms;
 allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow mediaserver hal_graphics_allocator:fd use;
 allow mediaserver hal_graphics_composer:fd use;
 allow mediaserver hal_camera:fd use;

public/mediaswcodec.te

@@ -24,3 +24,4 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
 neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
+allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;