Merge "update sepolicy for gralloc HAL" into oc-dev

private/mediadrmserver.te

 typeattribute mediadrmserver coredomain;
 
 init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+

private/mediaserver.te

 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)

private/technical_debt.cil

@@ -11,3 +11,8 @@
 ;     typeattribute hal_allocator_client halclientdomain;
 (typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
 (typeattributeset halclientdomain (hal_allocator_client))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))

public/mediacodec.te

@@ -22,13 +22,15 @@ allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec hal_graphics_allocator:fd use;
 allow mediacodec hal_camera:fd use;
 
 crash_dump_fallback(mediacodec)
 
 hal_client_domain(mediacodec, hal_allocator)
 
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
 # Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
 # directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
 # between those two: it talks to mediacodec via Binder and talks to bufferhubd