appdomain: neverallow direct input_device access

Applications should not access /dev/input/* for events, but
rather use events handled via the activity mechanism.

Change-Id: I0182b6be1b7c69d96e4366ba59f14cee67be4beb
Signed-off-by: William Roberts <william.c.roberts@intel.com>

app.te

@@ -405,3 +405,9 @@ neverallow appdomain {
   system_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+  appdomain
+  -shell # bugreport
+} input_device:chr_file ~getattr;