Camera: hal_camera FD access update

Add FD accessing rules related to media,gralloc and ashmem.
Also move a few rules to where they belong.

Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d

private/app.te

@@ -252,6 +252,9 @@ auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write app
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
 
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
 

public/hal_camera.te

@@ -13,11 +13,10 @@ allow hal_camera ion_device:chr_file rw_file_perms;
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 
-# Allow fd to be passed between hal_camera related processes
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
 allow hal_camera { appdomain -isolated_app }:fd use;
-allow { appdomain -isolated_app } hal_camera:fd use;
 allow hal_camera surfaceflinger:fd use;
-allow mediaserver hal_camera:fd use;
+allow hal_camera hal_allocator:fd use;
 
 ###
 ### neverallow rules

public/mediacodec.te

@@ -17,6 +17,8 @@ allow mediacodec video_device:chr_file rw_file_perms;
 allow mediacodec video_device:dir search;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec hal_graphics_allocator:fd use;
+allow mediacodec hal_camera:fd use;
+
 
 # hidl access
 hwbinder_use(mediacodec)

public/mediaserver.te

@@ -129,6 +129,7 @@ allow mediaserver preloads_data_file:file { getattr read ioctl };
 
 allow mediaserver ion_device:chr_file r_file_perms;
 allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_camera:fd use;
 
 allow mediaserver system_server:fd use;