Allow lpdumpd to read Virtual A/B diagnostics.

Give lpdump read (but not write) access to /metadata/ota so it can call
SnapshotManager::Dump for diagnostics.

Bug: 291083311
Test: lpdump
Change-Id: I732bcebcd809449c86254ea23785dc2c692bedd5

private/lpdumpd.te

@@ -18,6 +18,16 @@ allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
 allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
 read_fstab(lpdumpd)
 
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(lpdumpd, sysfs_dt_firmware_android);
+allow lpdumpd proc_cmdline:file r_file_perms;
+
+# Allow reading Virtual A/B status information.
+get_prop(lpdumpd, virtual_ab_prop)
+allow lpdumpd metadata_file:dir search;
+allow lpdumpd ota_metadata_file:dir { r_dir_perms lock };
+allow lpdumpd ota_metadata_file:file r_file_perms;
+
 ### Neverallow rules
 
 # Disallow other domains to get lpdump_service and call lpdumpd.