Enforce parent hal attribute hierarchy.

In order to support passthrough + binderized implementations
with a simple switch, there is a hierarchy of attributes for
different hal servers.

           /------- hal_X --------\
           |               **     |
           v                      v
      hal_X_client           hal_X_server
           |                      |
           |                      |
           v                      v
    halclientdomain        halserverdomain

** - hal_X -> hal_X_server is only on non-Treble devices. This
  is because on these devices, certain HALs are allowed to be
  loaded directly into the client process in "passthrough" mode
  as was the case in Android before Android O. This is a legacy
  compatibility mode. On Treble devices, any client can also be
  hal_X just by virtue of a server being able to also be a hal
  client.

There is also one exception to this rule. su is not given every
hal_* permission. If it is given all of these permissions on
non-Treble devices, it must be added as an exemption to many
other neverallow rules. As a sideeffect (which existed before
this patch), su is not allowed to talk directly to all hardware
on non-Treble devices as with Treble devices.

Fixes: 34180936
Test: compile only (neverallow rules are resolved at compile time)

Change-Id: I47122daf95acd49cadaf8b7664e56268dac78945

public/te_macros

@@ -213,7 +213,9 @@ expandattribute hal_$1_client true;
 attribute hal_$1_server;
 expandattribute hal_$1_server false;
 
+neverallow { hal_$1_server -hal_$1 } domain:process fork;
 neverallow { hal_$1_server -halserverdomain } domain:process fork;
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
 ')
 
 #####################################