From 2dc4d1cc1c99f9dbcec7c4870ccbf6cd1090a8c8 Mon Sep 17 00:00:00 2001
From: Yin-Chia Yeh <yinchiayeh@google.com>
Date: Thu, 23 Feb 2017 17:48:50 -0800
Subject: [PATCH] Camera: allow various FD usage for hal_camera

The camera HAL1 will need to pass/receive FD from various
related processes (app/surfaceflinger/medaiserver)

Change-Id: Ia6a6efdddc6e3e92c71211bd28a83eaf2ebd1948
---
 public/hal_camera.te | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/public/hal_camera.te b/public/hal_camera.te
index d9386fddf..e40a39bc8 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -13,8 +13,11 @@ allow hal_camera ion_device:chr_file rw_file_perms;
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 
-# Allow hal_camera to use fence FD from surface owned by application
-allow hal_camera appdomain:fd use;
+# Allow fd to be passed between hal_camera related processes
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow { appdomain -isolated_app } hal_camera:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow mediaserver hal_camera:fd use;
 
 ###
 ### neverallow rules
-- 
GitLab