From 3ef2d51baca547dbe1a75a1d3977bfff4d3d5ffc Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 21 Apr 2017 14:32:50 -0700
Subject: [PATCH] Relax neverallow for video_device access

On fugu, surfaceflinger is Graphics Allocator HAL. surfaceflinger
needs access to video_device. This commit thus relaxes the neverallow
rule which says that out of all HALs, only Camera HAL can access
video_device. The rule is relaxed to exclude HALs offered by
framework/system image.

Test: fugu boots
Bug: 37575062
Change-Id: I9b9be55fe0bf3928f1a6342113a7d6f9a2eb0260
---
 public/hal_camera.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/hal_camera.te b/public/hal_camera.te
index b77ff3a4d..3c15e85f9 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -34,4 +34,4 @@ neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only camera HAL may directly access the camera and video hardware
 neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
-neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
+neverallow { halserverdomain -coredomain -hal_camera_server } video_device:chr_file *;
-- 
GitLab