Merge "Policy for Camera HAL HwBinder service" into oc-dev am: b866a957

am: 8cea8086

Change-Id: I622b2b8bcb9f4104034e3594718932863f670f00

private/hwservice_contexts

+android.hardware.camera.provider::ICameraProvider             u:object_r:hw_camera_provider_ICameraProvider:s0
 *                                    u:object_r:default_android_hwservice:s0

public/cameraserver.te

@@ -8,6 +8,8 @@ binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
 hal_client_domain(cameraserver, hal_camera)
+allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
+
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;

public/hal_camera.te

@@ -2,6 +2,8 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
+add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+
 # access /data/misc/camera
 allow hal_camera camera_data_file:dir create_dir_perms;
 allow hal_camera camera_data_file:file create_file_perms;

public/hwservice.te

 type default_android_hwservice,   hwservice_manager_type;
+type hw_camera_provider_ICameraProvider,             hwservice_manager_type;

public/te_macros

@@ -502,6 +502,16 @@ define(`add_service', `
   neverallow { domain -$1 } $2:service_manager add;
 ')
 
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+  allow $1 $2:hwservice_manager { add find };
+  neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
 ##########################################
 # print a message with a trailing newline
 # print(`args')