Camera: hal_camera FD access update
Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.
Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
diff --git a/private/app.te b/private/app.te
index 4097bfc..4741213 100644
--- a/private/app.te
+++ b/private/app.te
@@ -252,6 +252,9 @@
allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
# TODO: switch to meminfo service
allow appdomain proc_meminfo:file r_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index e40a39b..df445fa 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,11 +13,10 @@
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-# Allow fd to be passed between hal_camera related processes
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
-allow { appdomain -isolated_app } hal_camera:fd use;
allow hal_camera surfaceflinger:fd use;
-allow mediaserver hal_camera:fd use;
+allow hal_camera hal_allocator:fd use;
###
### neverallow rules
diff --git a/public/mediacodec.te b/public/mediacodec.te
index f8986de..a7d7807 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -17,6 +17,8 @@
allow mediacodec video_device:dir search;
allow mediacodec ion_device:chr_file rw_file_perms;
allow mediacodec hal_graphics_allocator:fd use;
+allow mediacodec hal_camera:fd use;
+
# hidl access
hwbinder_use(mediacodec)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index fa47288..6b3f051 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -129,6 +129,7 @@
allow mediaserver ion_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_camera:fd use;
allow mediaserver system_server:fd use;