common: Allow webview_zygote to read /dev/ion

Regular Zygote does already have this permission granted as part of
system/sepolicy. Legacy QCOM devices combined with AOSP Webview
processes appear to fail to load in enforcing mode without this change.

TEST: Without this patch, opening Gmail on a msm8976 tablet results in:

I WebViewFactory: Loading com.android.webview version 66.0.3359.158 (code 336015855)
W cr_ChildProcLH: Create a new ChildConnectionAllocator with package name = com.android.webview, sandboxed = true
W libprocessgroup: kill(-4305, 9) failed: No such process
I libprocessgroup: Successfully killed process cgroup uid 10064 pid 4305 in 95ms
I cr_BrowserStartup: Initializing chromium process, singleProcess=false
I cr_base : Android Locale: en_US requires .pak files: []
E webview_zygote: Unable to restat fd 28: Permission denied
F webview_zygote: jni_internal.cc:616] JNI FatalError called: (com.android.webview:sandboxed_process0) Unable to stat 28
W webview_zygote: type=1400 audit(0.0:27): avc: denied { getattr } for path="/dev/ion" dev="tmpfs" ino=12718 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
W webview_zygote: type=1400 audit(0.0:28): avc: denied { getattr } for path="/dev/ion" dev="tmpfs" ino=12718 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
W webview_zygote: type=1400 audit(0.0:29): avc: denied { read } for name="app_process32" dev="mmcblk0p25" ino=467 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file permissive=0
F webview_zygote: runtime.cc:558] Runtime aborting...

Change-Id: I7eadf4ac2f286c90a92cd84b26b00f0f29b7a57e
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>

1 files changed, 1 insertions, 0 deletions

diff --git a/common/webview_zygote.te b/common/webview_zygote.te
new file mode 100644
index 0000000..1356cd5
--- /dev/null
+++ b/common/webview_zygote.te
@@ -0,0 +1 @@
+allow webview_zygote ion_device:chr_file r_file_perms;