Apps and system_server are gralloc HAL clients This commit marks system_server and app domains (except isolated_app) as clients of Graphics Allocator HAL. This makes the policy cleaner and prepares ground for restricting access to HwBinder services. Test: Play video in YouTube app and in Google Chrome YouTube web page Test: Using Google Camera app, take an HDR+ photo, a conventional photo, record a video with sound and a slow motion video with sound, then check that photos look good and videos play back fine, including sound. Bug: 34454312 Change-Id: Iea04d38fa5520432f06af94570fa6ce16ed7979a

commit: 5007c10a51a150d3af9c29e1392279ffbf9347d9 [log] [tgz]
author: Alex Klyubin <klyubin@google.com> Mon Apr 17 12:53:40 2017 -0700
committer: Alex Klyubin <klyubin@google.com> Mon Apr 17 12:55:00 2017 -0700
tree: e77a6b5541f23227e31c6e776586afeab980abb9
parent: 0d1b2ce151d094b4df949248ab55b4e6d6780869 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 0f0dcdc..404a253 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -175,7 +175,7 @@
 hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss)
 hal_client_domain(system_server, hal_gnss)
-binder_call(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_graphics_allocator)
 binder_call(system_server, hal_ir)
 hal_client_domain(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -627,7 +627,6 @@
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server hal_graphics_allocator:fd use;
 
 r_dir_file(system_server, proc)
 r_dir_file(system_server, proc_meminfo)
commit	5007c10a51a150d3af9c29e1392279ffbf9347d9	[log] [tgz]
author	Alex Klyubin <klyubin@google.com>	Mon Apr 17 12:53:40 2017 -0700
committer	Alex Klyubin <klyubin@google.com>	Mon Apr 17 12:55:00 2017 -0700
tree	e77a6b5541f23227e31c6e776586afeab980abb9
parent	0d1b2ce151d094b4df949248ab55b4e6d6780869 [diff] [blame]