Sepolicy for OMX hal. Bug: 31399200 Test: Compiles Change-Id: Ifb347a985df5deb85426a54c435c4a9c0248cb57

commit: 5559d21aa550ee03075b958fd65add628f31fcef [log] [tgz]
author: Pawin Vongmasa <pawin@google.com> Tue Jan 24 02:45:16 2017 -0800
committer: Pawin Vongmasa <pawin@google.com> Sat Feb 11 00:12:00 2017 -0800
tree: ea6b57f4c3d0ee4e4accc54279bc2c2cb0293fef
parent: 3651bae67bc593516b183dee7ea554fb20fb2e5e [diff]
diff --git a/private/app.te b/private/app.te
index e0fb6f1..b009d98 100644
--- a/private/app.te
+++ b/private/app.te

@@ -158,6 +158,11 @@
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 
+# hidl access for mediacodec
+# TODO(b/34454312): only allow getting and talking to mediacodec service
+hwbinder_use(appdomain)
+hwallocator_use(appdomain)
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services

diff --git a/private/system_server.te b/private/system_server.te
index 30fe3e2..cba1ab3 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -179,6 +179,7 @@
 
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
+hwallocator_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
commit	5559d21aa550ee03075b958fd65add628f31fcef	[log] [tgz]
author	Pawin Vongmasa <pawin@google.com>	Tue Jan 24 02:45:16 2017 -0800
committer	Pawin Vongmasa <pawin@google.com>	Sat Feb 11 00:12:00 2017 -0800
tree	ea6b57f4c3d0ee4e4accc54279bc2c2cb0293fef
parent	3651bae67bc593516b183dee7ea554fb20fb2e5e [diff]