Remove hal_gatekeeper from gatekeeperd domain

HAL clients should not be annotated with hal_x and haldomain. This may
grant them too much access. Instead, the policy needed for using
in-process HALs should be directly embedded into the client's domain
rules.

This partially reverts the moving of rules out of gatekeeperd in
commit a9ce2086.

Test: Set up PIN-protected secure lock screen, unlock screen, reboot,
      unlock. No SELinux denials in gatekeeperd or hal_gatekeeper*.
Bug: 34715716
Change-Id: If87c865461580ff861e7e228a96d315d319e1765

public/gatekeeperd.te

 type gatekeeperd, domain;
-# normally uses HAL; implements HAL in pass-through mode only
-hal_impl_domain(gatekeeperd, hal_gatekeeper)
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
 binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hwbinder_use(gatekeeperd)
+###
+
 # need to find KeyStore and add self
 add_service(gatekeeperd, gatekeeper_service)
 
-# Scan through /system/lib64/hw looking for installed HALs
-allow gatekeeperd system_file:dir r_dir_perms;
-
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };