Allow virtual camera to do binder calls to apps and vice versa.

Virtual camera passes Surface to the app which internally uses binder
to communicate with the other side of buffer queue.

Bug: 301023410
Test: atest VirtualCameraTest
Change-Id: I3ea23532a5077c0b57a6f74c7814b9fdf69829ea

private/app.te

@@ -149,6 +149,9 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox_all)
 
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
 # Allow access to external storage; we have several visible mount points under /storage
 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;

private/virtual_camera.te

@@ -12,6 +12,10 @@ binder_use(virtual_camera)
 binder_call(virtual_camera, cameraserver)
 binder_call(virtual_camera, system_server)
 
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
+
 # Allow virtual_camera to use fd from apps
 allow virtual_camera { appdomain -isolated_app }:fd use;