Add CAP_IPC_LOCK and pinner to system_server

Add pinner service to system_service services.
Add CAP_IPC_LOCK permissions to system_server in order to allow
system_server to pin more memory than the lockedmem ulimit.

bug 28251566

Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984

service.te

@@ -83,6 +83,7 @@ type otadexopt_service, system_server_service, service_manager_type;
 type package_service, app_api_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
 type power_service, app_api_service, system_server_service, service_manager_type;
 type print_service, app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;

service_contexts

@@ -99,6 +99,7 @@ phone_msim                                u:object_r:radio_service:s0
 phone1                                    u:object_r:radio_service:s0
 phone2                                    u:object_r:radio_service:s0
 phone                                     u:object_r:radio_service:s0
+pinner                                    u:object_r:pinner_service:s0
 power                                     u:object_r:power_service:s0
 print                                     u:object_r:print_service:s0
 processinfo                               u:object_r:processinfo_service:s0

system_server.te

@@ -46,6 +46,7 @@ bluetooth_domain(system_server)
 # These are the capabilities assigned by the zygote to the
 # system server.
 allow system_server self:capability {
+    ipc_lock
     kill
     net_admin
     net_bind_service