Allow applications to use NN API HAL services

The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)
(cherry picked from commit ea331aa7)

private/app_neverallows.te

@@ -158,6 +158,7 @@ neverallow all_untrusted_apps {
   -hal_graphics_allocator_hwservice
   -hal_omx_hwservice
   -hal_cas_hwservice
+  -hal_neuralnetworks_hwservice
   -untrusted_app_visible_hwservice
 }:hwservice_manager find;
 
@@ -180,7 +181,6 @@ neverallow all_untrusted_apps {
   hal_keymaster_hwservice
   hal_light_hwservice
   hal_memtrack_hwservice
-  hal_neuralnetworks_hwservice
   hal_nfc_hwservice
   hal_oemlock_hwservice
   hal_power_hwservice
@@ -224,6 +224,7 @@ full_treble_only(`
     -hal_configstore_server
     -hal_graphics_allocator_server
     -hal_cas_server
+    -hal_neuralnetworks_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
     -untrusted_app_visible_halserver
   }:binder { call transfer };

private/technical_debt.cil

@@ -31,3 +31,8 @@
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;
 (typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))