Address surfaceflinger denials.

Resolves denials such as:

avc:  denied  { call } for  pid=257 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:adbd:s0 tclass=binder

avc:  denied  { call } for  pid=1002 comm="Binder_4" scontext=u:r:surfaceflinger:s0 tcontext=u:r:platform_app:s0 tclass=binder

avc:  denied  { open } for  pid=1468 comm="Binder_1" name="cmdline" dev="proc" ino=10222 scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=file

avc:  denied  { open } for  pid=1275 comm="Binder_5" name="cmdline" dev="proc" ino=38036 scontext=u:r:surfaceflinger:s0 tcontext=u:r:system_app:s0 tclass=file

Change-Id: I92147a1636b44a851d0e0e059f70ec8267cecf08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

surfaceflinger.te

@@ -11,11 +11,17 @@ unix_socket_connect(surfaceflinger, property, init)
 
 # Perform Binder IPC.
 binder_use(surfaceflinger)
-binder_call(surfaceflinger, system_server)
-binder_call(surfaceflinger, nfc)
-binder_call(surfaceflinger, mediaserver)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
 binder_service(surfaceflinger)
 
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
 
@@ -50,3 +56,13 @@ binder_call(surfaceflinger, shell)
 # but seems expected and appropriate for all devices.
 allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
+neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;