commit 9901ff7c4f6f71cdb1bcfb50435b6036caf66b28
author Mathias Agopian <mathias@google.com> Wed Mar 29 19:08:34 2017 -0700
committer Mathias Agopian <mathias@google.com> Thu Mar 30 14:43:35 2017 -0700
tree 749f5b0e81acf95830a6d16d7e68c91a1032501e
parent ad2e6166c892d3b43749a05143fc2beee8910cb8

update sepolicy for gralloc HAL

the list to update was determined by looking
at who currently has access to surfaceflinger
for ipc and FD use.

Test: try some media stuff
Bug: 36333314
Change-Id: I474d0c44f8cb3868aad7a64e5a3640cf212d264d

private/mediadrmserver.te

diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index def8759..4e511a8 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,8 @@
 typeattribute mediadrmserver coredomain;
 
 init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+

private/mediaserver.te

diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4b510a5..08c3f9b 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,6 @@
 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)

private/technical_debt.cil

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 2d9ec8b..abc21a7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -11,3 +11,8 @@
 ;     typeattribute hal_allocator_client halclientdomain;
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))