From 5c50ccab628834d912fc873886cd92a36ca92302 Mon Sep 17 00:00:00 2001 From: timmyli Date: Tue, 5 Nov 2024 06:38:20 +0000 Subject: [PATCH] Add permissions for GCA to access various services app_api_service gives access to blanket app service permissions. The more specific ones are listed in logs below. Bug: 370899024 Bug: 375958865 Test: manual test with GCA to verify permissions Flag: EXEMPT refactor Specific logs: 11-05 01:13:34.640 332 332 E SELinux : avc: denied { find } for pid=5493 uid=10155 name=media.player scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1 11-05 01:13:34.641 332 332 E SELinux : avc: denied { find } for pid=5493 uid=10155 name=media.camera scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=1 11-05 01:29:31.002 326 326 E SELinux : avc: denied { find } for pid=5465 uid=10155 name=media.metrics scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediametrics_service:s0 tclass=service_manager permissive=1 11-05 01:29:31.498 326 326 E SELinux : avc: denied { find } for pid=5465 uid=10155 name=media.extractor scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:mediaextractor_service:s0 tclass=service_manager permissive=1 11-05 01:29:30.961 326 326 E SELinux : avc: denied { find } for pid=5465 uid=10155 name=media.audio_flinger scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:audioserver_service:s0 tclass=service_manager permissive=1 Logs from app services blanket granted by app_api_service 10-28 02:25:22.057 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=content scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:content_service:s0 tclass=service_manager permissive=1 10-28 02:25:21.953 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=connectivity scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:connectivity_service:s0 tclass=service_manager permissive=1 10-28 02:25:22.577 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=power scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:power_service:s0 tclass=service_manager permissive=1 10-28 02:25:22.062 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=notification scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:notification_service:s0 tclass=service_manager permissive=1 10-28 02:25:21.988 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=appops scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:appops_service:s0 tclass=service_manager permissive=1 10-28 02:25:22.014 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=user scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:user_service:s0 tclass=service_manager permissive=1 10-28 02:25:21.852 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=display scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:display_service:s0 tclass=service_manager permissive=1 10-28 02:25:21.998 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=jobscheduler scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:jobscheduler_service:s0 tclass=service_manager permissive=1 10-28 02:25:21.855 339 339 I auditd : avc: denied { find } for pid=10509 uid=10149 name=network_management scontext=u:r:google_camera_app:s0:c149,c256,c512,c768 tcontext=u:object_r:network_management_service:s0 tclass=service_manager permissive=1 10-02 05:40:18.428 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=content_capture scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.270 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=device_policy scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:device_policy_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.215 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=sensorservice scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager permissive=1 10-02 05:40:18.166 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=netstats scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.219 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=virtualdevice_native scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:virtual_device_native_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.230 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=thermalservice scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.224 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=media.camera scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.214 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=media.player scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.485 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=backup scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:backup_service:s0 tclass=service_manager permissive=1 10-02 05:40:17.920 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=activity scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1 10-02 05:40:19.511 355 355 I auditd : avc: denied { find } for pid=9560 uid=10129 name=device_state scontext=u:r:google_camera_app:s0:c129,c256,c512,c768 tcontext=u:object_r:device_state_service:s0 tclass=service_manager permissive=1 Change-Id: I9bd98af328f948152c89f9f2c3a066a951f4aaad --- .../sepolicy/product/private/google_camera_app.te | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/gcam_app/sepolicy/product/private/google_camera_app.te b/gcam_app/sepolicy/product/private/google_camera_app.te index a4c7a79..2d3d73c 100644 --- a/gcam_app/sepolicy/product/private/google_camera_app.te +++ b/gcam_app/sepolicy/product/private/google_camera_app.te @@ -3,12 +3,12 @@ typeattribute google_camera_app coredomain; app_domain(google_camera_app) net_domain(google_camera_app) -#allow google_camera_app app_api_service:service_manager find; -#allow google_camera_app audioserver_service:service_manager find; -#allow google_camera_app cameraserver_service:service_manager find; -#allow google_camera_app mediaextractor_service:service_manager find; -#allow google_camera_app mediametrics_service:service_manager find; -#allow google_camera_app mediaserver_service:service_manager find; +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; # Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power)