Add SELinux policy for apps to use Tachyon lib

Bug: 339133130
Test: Verified apps can now open Tachyon client lib
Change-Id: I8ca9f08517ae8fc1deb5f97ce2823cd5eb5fafb6

edgetpu/sepolicy/file_contexts

@@ -17,6 +17,8 @@
 # EdgeTPU runtime libraries
 /vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
+# EdgeTPU Tachyon libraries
+/vendor/lib64/libedgetpu_tachyon\.google\.so                               u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
 /data/vendor/hal_neuralnetworks_darwinn(/.*)?                              u:object_r:hal_neuralnetworks_darwinn_data_file:s0
@@ -27,3 +29,6 @@
 
 # Tachyon service
 /vendor/bin/hw/com\.google\.edgetpu.tachyon-service                        u:object_r:edgetpu_tachyon_server_exec:s0
+
+# libfmq.so is dynamically loaded by the Tachyon client-side library libedgetpu_tachyon.google.so
+/vendor/lib64/libfmq\.so                                                   u:object_r:same_process_hal_file:s0

edgetpu/sepolicy/priv_app.te

@@ -7,3 +7,6 @@ allow priv_app edgetpu_nnapi_service:service_manager find;
 # Allows privileged applications to access the EdgeTPU device, except open,
 # which is guarded by the EdgeTPU service.
 allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows EdgeTPU Tachyon service to call the app.
+binder_call(edgetpu_tachyon_server, priv_app);

edgetpu/sepolicy/untrusted_app_all.te

@@ -5,3 +5,5 @@ allow untrusted_app_all edgetpu_app_service:service_manager find;
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
 
+# Allows EdgeTPU Tachyon service to call the app.
+binder_call(edgetpu_tachyon_server, untrusted_app_all);