sepolicy: allow access to vndk-stable libs

Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.

Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.

Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a

private/file_contexts

@@ -266,6 +266,8 @@
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
 
+/(vendor|system/vendor)/lib(64)?/vndk-stable(/.*)? u:object_r:vndk_stable_file:s0
+
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0

public/domain.te

@@ -119,6 +119,11 @@ allow domain vendor_hal_file:dir r_dir_perms;
 allow domain same_process_hal_file:dir r_dir_perms;
 allow domain same_process_hal_file:file { execute read open getattr };
 
+# Any process can load vndk-stable libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_stable_file:dir r_dir_perms;
+allow domain vndk_stable_file:file { execute read open getattr };
+
 # All domains get access to /vendor/etc
 allow domain vendor_configs_file:dir r_dir_perms;
 allow domain vendor_configs_file:file { read open getattr };

public/file.te

@@ -94,6 +94,8 @@ type vendor_configs_file, vendor_file_type, file_type;
 # Default type for all *same process* HALs.
 # e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
 type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-stable libs. /vendor/lib/vndk-stable
+type vndk_stable_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/framework
 type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay