[mlock] Allow edgetpu_app_service to call mlock()

This CL references keunyoung's ag/25999220

This is to support the GenAI effort, allowing file backed large models to be mlocked, satisfying the memory accounting on Android.

AVC error message:
https://paste.googleplex.com/5844645780652032

Bug: 322229786

Tested:
end-to-end on ZUM and ZPR.

Change-Id: I6abef85eebbc051cb5e41b8f11f70f7ae1b489ab

edgetpu/sepolicy/edgetpu_app_service.te

@@ -38,3 +38,12 @@ binder_call(edgetpu_app_server, edgetpu_vendor_server);
 
 # Allow EdgeTPU service to log to stats service. (metrics)
 allow edgetpu_app_server fwk_stats_service:service_manager find;
+
+# Allow mlock without size restriction
+allow edgetpu_app_server self:capability ipc_lock;
+
+# Need to effectively read file mapped file when mmap + mlocked.
+allow edgetpu_app_server privapp_data_file:file { map read};
+
+# For shell level testing of mlock
+allow edgetpu_app_server shell_data_file:file { map read};

edgetpu/sepolicy/file_contexts

@@ -15,7 +15,7 @@
 /vendor/lib64/libmetrics_logger\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so                                          u:object_r:same_process_hal_file:s0
 # EdgeTPU runtime libraries
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-3]-ndk\.so              u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files