Camera: hal_camera FD access update

Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
diff --git a/private/app.te b/private/app.te
index 4097bfc..4741213 100644
--- a/private/app.te
+++ b/private/app.te
@@ -252,6 +252,9 @@
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
 
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
 
diff --git a/public/hal_camera.te b/public/hal_camera.te
index e40a39b..df445fa 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,11 +13,10 @@
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 
-# Allow fd to be passed between hal_camera related processes
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
 allow hal_camera { appdomain -isolated_app }:fd use;
-allow { appdomain -isolated_app } hal_camera:fd use;
 allow hal_camera surfaceflinger:fd use;
-allow mediaserver hal_camera:fd use;
+allow hal_camera hal_allocator:fd use;
 
 ###
 ### neverallow rules
diff --git a/public/mediacodec.te b/public/mediacodec.te
index f8986de..a7d7807 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -17,6 +17,8 @@
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
+allow mediacodec hal_camera:fd use;
+
 
 # hidl access
 hwbinder_use(mediacodec)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index fa47288..6b3f051 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -129,6 +129,7 @@
 
 allow mediaserver ion_device:chr_file r_file_perms;
 allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_camera:fd use;
 
 allow mediaserver system_server:fd use;