Allow camera hal to read apex-info-list.xml

When the hal is in APEX, it monitors apex-info-list.xml to restart
itself.

11-29 07:14:49.034   510   510 I android.hardware.pixel.camera.provider@2.7-service: Google camera provider service is starting.
11-29 07:14:49.036   510   510 E apex_update_listener: Failed to inotify_add_watch(/apex/apex-info-list.xml): Permission denied (13)

Until now, access error has been ignored since updating the apex on
cuttlefish doesn't make sense.

But we'd better make the hal behave the same way even on cuttlefish so
that we can test updates as well.

However, the camera hal monitors a hard-coded apex name which differs
from the AOSP camera hal apex. This will be handled in a follow-up
change.

Bug: n/a
Test: launch_cvd (no errors from apex_update_listener)
Change-Id: I4eaeb75b75bd5d143366f78050dd07b888f351b5

1 files changed, 2 insertions, 3 deletions

diff --git a/shared/camera/sepolicy/hal_camera_default.te b/shared/camera/sepolicy/hal_camera_default.te
index de1e370f2..d1230177a 100644
--- a/shared/camera/sepolicy/hal_camera_default.te
+++ b/shared/camera/sepolicy/hal_camera_default.te
@@ -14,6 +14,5 @@ allow hal_camera_default self:vsock_socket { accept bind create getopt listen re
 
 set_prop(hal_camera_default, vendor_camera_prop)
 
-# The camera HAL can respond to APEX updates (see ApexUpdateListener), but this
-# is not used by the emulated camera HAL APEX. Ignore these denials.
-dontaudit hal_camera_default apex_info_file:file { read };
+# For observing apex file changes
+allow hal_camera_default apex_info_file:file r_file_perms;