Give apps, cameraserver, and system_server access to sync fences.

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f

private/app.te

@@ -177,6 +177,9 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/34454312): only allow getting and talking to mediacodec service
 hwbinder_use(appdomain)
 
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services

private/system_server.te

@@ -199,6 +199,9 @@ hal_client_domain(system_server, hal_wifi)
 
 hal_client_domain(system_server, hal_wifi_supplicant)
 
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
 

public/cameraserver.te

@@ -14,6 +14,9 @@ hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
 
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
 add_service(cameraserver, cameraserver_service)
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;