Label /dev/usb-ffs/adb functionfs

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2

adbd.te

@@ -22,8 +22,10 @@ allow adbd self:capability setpcap;
 # Create and use network sockets.
 net_domain(adbd)
 
-# Access /dev/android_adb.
+# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
 allow adbd adb_device:chr_file rw_file_perms;
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
 
 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;

file.te

@@ -32,6 +32,7 @@ type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
 type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, mlstrustedobject;
 type pstorefs, fs_type;
+type functionfs, fs_type;
 
 # File types
 type unlabeled, file_type;

genfs_contexts

@@ -29,3 +29,4 @@ genfscon vfat / u:object_r:sdcard_external:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:sdcard_internal:s0
 genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0