From 765e8e2374baec527202884f4560ac003ae4ebdf Mon Sep 17 00:00:00 2001
From: Cheng Gu <gucheng@google.com>
Date: Thu, 1 Apr 2021 10:47:20 -0700
Subject: [PATCH] gs101-sepolicy: Allow binder call rlsservice from camera

This is to fix below avc denial:
  E SELinux : avc:  denied  { find } for pid=28954 uid=1000
  name=rlsservice scontext=u:r:hal_camera_default:s0
  tcontext=u:object_r:rls_service:s0 tclass=service_manager permissive=0

The solution is similar to ag/7253836 (coral) and ag/10232101 (redbull).

Fix: 183620858
Test: adb shell setprop persist.vendor.camera.dump_range_data 1 &&
      adb shell pkill -f camera, then retest camera
Change-Id: I6bb743c15ee64e3c4ecb8359126b238554aa649e
---
 whitechapel/vendor/google/hal_camera_default.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
index 5db0ed6e..98de1b23 100644
--- a/whitechapel/vendor/google/hal_camera_default.te
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -28,6 +28,10 @@ allow hal_camera_default persist_camera_file:file r_file_perms;
 get_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 
+# For camera hal to talk with rlsservice
+allow hal_camera_default rls_service:service_manager find;
+binder_call(hal_camera_default, rlsservice)
+
 hal_client_domain(hal_camera_default, hal_graphics_allocator);
 hal_client_domain(hal_camera_default, hal_power);
 hal_client_domain(hal_camera_default, hal_thermal);