system_server: access to /proc/sys/fs/pipe-max-size

Label /proc/sys/fs/pipe-max-size with new type proc_pipe_conf and give
system_server access to it.

Addresses this denial:
avc: denied { read } for name="pipe-max-size" dev="proc" ino=93817
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

Bug: 69175449
Bug: 69324398
Test: sailfish boots
Test: adb bugreport
Test: craft an unresponsive app, trigger ANR, make sure traces are dumped
into /data/anr
Above denial from system_server not observed, no denials to proc_pipe_conf
observed.
Change-Id: I7c71f05820a4945ba982e29f76e9d9f4458b2b59

private/compat/26.0/26.0.cil

@@ -467,6 +467,7 @@
     proc_page_cluster
     proc_pagetypeinfo
     proc_panic
+    proc_pipe_conf
     proc_random
     proc_sched
     proc_swaps

private/genfs_contexts

@@ -24,6 +24,7 @@ genfscon proc /stat u:object_r:proc_stat:s0
 genfscon proc /swaps u:object_r:proc_swaps:s0
 genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0

private/system_server.te

@@ -124,24 +124,15 @@ r_dir_file(system_server, domain)
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
 
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 
 # Write /proc/uid_procstat/set.
 allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
 
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
 # Write to /proc/sysrq-trigger.
 allow system_server proc_sysrq:file rw_file_perms;
 
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 
@@ -690,12 +681,19 @@ r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
 
 r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_loadavg)
-r_dir_file(system_server, proc_meminfo)
 r_dir_file(system_server, proc_net)
-r_dir_file(system_server, proc_pagetypeinfo)
-r_dir_file(system_server, proc_version)
-r_dir_file(system_server, proc_vmallocinfo)
+allow system_server {
+  proc_loadavg
+  proc_meminfo
+  proc_pagetypeinfo
+  proc_pipe_conf
+  proc_stat
+  proc_uid_cputime_showstat
+  proc_uid_time_in_state
+  proc_version
+  proc_vmallocinfo
+}:file r_file_perms;
+
 r_dir_file(system_server, rootfs)
 
 ### Rules needed when Light HAL runs inside system_server process.

public/dumpstate.te

@@ -151,12 +151,15 @@ control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
 # Read files in /proc
-allow dumpstate proc_cmdline:file r_file_perms;
-allow dumpstate proc_meminfo:file r_file_perms;
-allow dumpstate proc_net:file r_file_perms;
-allow dumpstate proc_pagetypeinfo:file r_file_perms;
-allow dumpstate proc_version:file r_file_perms;
-allow dumpstate proc_vmallocinfo:file r_file_perms;
+allow dumpstate {
+  proc_cmdline
+  proc_meminfo
+  proc_net
+  proc_pipe_conf
+  proc_pagetypeinfo
+  proc_version
+  proc_vmallocinfo
+}:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
 # Read network state info files.

public/file.te

@@ -38,6 +38,7 @@ type proc_page_cluster, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_panic, fs_type;
 type proc_perf, fs_type;
+type proc_pipe_conf, fs_type;
 type proc_random, fs_type;
 type proc_sched, fs_type;
 type proc_stat, fs_type;