From 50930b4181f7331984d826895d745e04ebc3501c Mon Sep 17 00:00:00 2001
From: Frank Yu <shengfanyu@google.com>
Date: Fri, 1 Nov 2024 09:04:43 +0000
Subject: [PATCH 1/4] Allow grilservice_app to binder call twoshay

avc error log:

[   37.308566] type=1400 audit(1730161331.968:20): avc:  denied  { call } for  comm="pool-3-thread-1" scontext=u:r:grilservice_app:s0:c253,c256,c512,c768 tcontext=u:r:twoshay:s0 tclass=binder permissive=0 bug=b/375564898 app=com.google.android.grilservice

Flag: EXEMPT bugfix
Bug: 375564898
Change-Id: I7bd57884763e255be57455b138e306c904bc66e1
---
 gril/hidl/1.7/sepolicy/grilservice_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gril/hidl/1.7/sepolicy/grilservice_app.te b/gril/hidl/1.7/sepolicy/grilservice_app.te
index 3a170b8..fd20fb4 100644
--- a/gril/hidl/1.7/sepolicy/grilservice_app.te
+++ b/gril/hidl/1.7/sepolicy/grilservice_app.te
@@ -2,3 +2,5 @@
 allow grilservice_app hal_radio_ext_service:service_manager find;
 # allow grilservice_app to binder call hal_radioext_default
 binder_call(grilservice_app, hal_radioext_default)
+# allow grilservice_app to binder call twoshay
+binder_call(grilservice_app, twoshay)

From cb2c9c91c1549b16c5c6d51411d3d4ab9f528ff7 Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Tue, 5 Nov 2024 21:39:34 +0000
Subject: [PATCH 2/4] Consolidate gca permissions inside gs-common

SeLinux team is making an effort to have a general set of permissions
inside gs-common for GCA as oppose to having a new google_camera_app.te
for each device generation. Move the next gen permissions to the gs-common.

Bug: 361092857
Test: manual test to check permissions
Flag: EXEMPT add permissions

11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:665): avc:  denied  { read write } for  name="gxp" dev="tmpfs" ino=1545 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera
11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:666): avc:  denied  { open } for  path="/dev/gxp" dev="tmpfs" ino=1545 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera
11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:667): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1545 ioctlcmd=0xee06 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera

11-05 16:15:05.062   332   332 E SELinux : avc:  denied  { find } for pid=5586 uid=10155 name=com.google.edgetpu.IEdgeTpuAppService/default scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:edgetpu_app_service:s0 tclass=service_manager permissive=1
11-05 16:15:06.356  5586  5586 I frame-quality-s: type=1400 audit(0.0:554): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1542 ioctlcmd=0xed23 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera

Change-Id: Ie38edbf7e2fecf6bc45605a947ad6fc63d4f4378
---
 gcam_app/sepolicy/vendor/google_camera_app.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te
index 81f91ac..3f5a0ec 100644
--- a/gcam_app/sepolicy/vendor/google_camera_app.te
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@@ -1,12 +1,12 @@
 # GCARelease and GCADogfood.
 
 # Allows GCA to acccess the GXP device & properties.
-#allow google_camera_app gxp_device:chr_file rw_file_perms;
+allow google_camera_app gxp_device:chr_file rw_file_perms;
 get_prop(google_camera_app, vendor_gxp_prop)
 
 # Allows GCA to find and access the EdgeTPU.
-#allow google_camera_app edgetpu_app_service:service_manager find;
-#allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { ioctl };
 
 # Allows GCA to access the hw_jpeg /dev/video12.
 #allow google_camera_app hw_jpg_device:chr_file rw_file_perms;

From 132ad09bcedd5fecc9729b23743a53db75d91f92 Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Wed, 6 Nov 2024 08:03:47 +0000
Subject: [PATCH 3/4] Add more access for GCA to edgetpu

Bug: 361092857
Test: manual test to check permissions
Flag: EXEMPT add permissions

11-06 03:01:49.736   719   719 W binder:719_3: type=1400 audit(0.0:710): avc:  denied  { read write } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1542 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=0

Change-Id: I2ef4ac39645179fe2a2ec1d7aeac928a43a01a61
---
 gcam_app/sepolicy/vendor/google_camera_app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te
index 3f5a0ec..76f0811 100644
--- a/gcam_app/sepolicy/vendor/google_camera_app.te
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@@ -6,7 +6,7 @@ get_prop(google_camera_app, vendor_gxp_prop)
 
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
-allow google_camera_app edgetpu_device:chr_file { ioctl };
+allow google_camera_app edgetpu_device:chr_file rw_file_perms;
 
 # Allows GCA to access the hw_jpeg /dev/video12.
 #allow google_camera_app hw_jpg_device:chr_file rw_file_perms;

From 84d3523c6c9d6f0e9ae3d918871eed6e12c6c506 Mon Sep 17 00:00:00 2001
From: "ELIYAZ MOMIN (xWF)" <mohammedeliyaz@google.com>
Date: Wed, 6 Nov 2024 16:54:52 +0000
Subject: [PATCH 4/4] Revert "Add more access for GCA to edgetpu"

This reverts commit 132ad09bcedd5fecc9729b23743a53db75d91f92.

Reason for revert: <Potential culprit for b/377693729  - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.>

Change-Id: Ic0cf086e2dc3aad19b1e0965873f9966ad7e6c29
---
 gcam_app/sepolicy/vendor/google_camera_app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te
index 76f0811..3f5a0ec 100644
--- a/gcam_app/sepolicy/vendor/google_camera_app.te
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@@ -6,7 +6,7 @@ get_prop(google_camera_app, vendor_gxp_prop)
 
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
-allow google_camera_app edgetpu_device:chr_file rw_file_perms;
+allow google_camera_app edgetpu_device:chr_file { ioctl };
 
 # Allows GCA to access the hw_jpeg /dev/video12.
 #allow google_camera_app hw_jpg_device:chr_file rw_file_perms;