From 6824dfd773877f4d9ddafe6b46e3068eb6fa1abb Mon Sep 17 00:00:00 2001
From: Yin-Chia Yeh <yinchiayeh@google.com>
Date: Fri, 24 Feb 2017 17:45:11 -0800
Subject: [PATCH] Camera: hal_camera FD access update

Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d
---
 private/app.te        | 3 +++
 public/hal_camera.te  | 5 ++---
 public/mediacodec.te  | 2 ++
 public/mediaserver.te | 1 +
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/private/app.te b/private/app.te
index 4097bfc53..47412132b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -252,6 +252,9 @@ auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write app
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
 
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
 
diff --git a/public/hal_camera.te b/public/hal_camera.te
index e40a39bc8..df445fa9a 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,11 +13,10 @@ allow hal_camera ion_device:chr_file rw_file_perms;
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 
-# Allow fd to be passed between hal_camera related processes
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
 allow hal_camera { appdomain -isolated_app }:fd use;
-allow { appdomain -isolated_app } hal_camera:fd use;
 allow hal_camera surfaceflinger:fd use;
-allow mediaserver hal_camera:fd use;
+allow hal_camera hal_allocator:fd use;
 
 ###
 ### neverallow rules
diff --git a/public/mediacodec.te b/public/mediacodec.te
index f8986de0c..a7d780793 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -17,6 +17,8 @@ allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
+allow mediacodec hal_camera:fd use;
+
 
 # hidl access
 hwbinder_use(mediacodec)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index fa472886a..6b3f0511e 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -129,6 +129,7 @@ allow mediaserver preloads_data_file:file { getattr read ioctl };
 
 allow mediaserver ion_device:chr_file r_file_perms;
 allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_camera:fd use;
 
 allow mediaserver system_server:fd use;
 
-- 
GitLab