fix mediaserver selinux denials.

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

drmserver.te

@@ -34,3 +34,6 @@ allow drmserver apk_data_file:dir rw_dir_perms;
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
 allow drmserver drmserver_socket:sock_file create_file_perms;
 allow drmserver tee:unix_stream_socket connectto;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)

mediaserver.te

@@ -25,6 +25,7 @@ allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
 allow mediaserver qemu_device:chr_file rw_file_perms;
@@ -48,8 +49,8 @@ allow mediaserver rpmsg_device:chr_file rw_file_perms;
 allow mediaserver system_server:fifo_file r_file_perms;
 
 # Camera data
-allow mediaserver camera_data_file:dir r_dir_perms;
-allow mediaserver camera_data_file:file r_file_perms;
+r_dir_file(mediaserver, camera_data_file)
+r_dir_file(mediaserver, media_rw_data_file)
 
 # Grant access to audio files to mediaserver
 allow mediaserver audio_data_file:dir ra_dir_perms;

surfaceflinger.te

@@ -21,6 +21,7 @@ allow surfaceflinger graphics_device:dir search;
 allow surfaceflinger graphics_device:chr_file rw_file_perms;
 
 # Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
 # Create and use netlink kobject uevent sockets.

system_server.te

@@ -132,6 +132,7 @@ allow system_server input_device:chr_file rw_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
 allow system_server qemu_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;