Allow app to access configstore HAL

Apps should be able to access the configstore HAL since framework
libraries which are loaded into app process can call configstore.

Letting apps have direct access to this HAL is OK because: 

(1) the API of this HAL does not make clients provide any sensitive 
information to the HAL, which makes it impossible for the HAL to 
disclose sensitive information of its clients when the HAL is 
compromised, 

(2) we will require that this HAL is binderized (i.e., does not run 
inside the process of its clients), 

(3) we will require that this HAL runs in a tight seccomp sandbox 
(this HAL doesn't need much access, if at all) and,

(4) we'll restrict the HALs powers via neverallows.

Test: apps can use configstore hal.

Change-Id: I04836b7318fbc6ef78deff770a22c68ce7745fa9

private/app.te

@@ -246,6 +246,9 @@ auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write app
 # Allow app to access the graphic allocator HAL
 binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
 
+# App can access configstore HAL which is read only
+binder_call({ appdomain -isolated_app }, hal_configstore)
+
 # Allow app to access shared memory created by camera HAL1
 allow { appdomain -isolated_app } hal_camera:fd use;