From 97f50223aaae52a60a2cf990bf171747e8ceba4a Mon Sep 17 00:00:00 2001
From: Dinesh Yadav <dkyadav@google.com>
Date: Tue, 3 Dec 2024 04:01:59 +0000
Subject: [PATCH] Allow tachyon service to make binder calls to GCA

This permission is needed for tachyon service to call callbacks.

AVC Error seen when tachyon tries accessing GCA:
12-02 11:40:03.212  6987  6987 W com.google.edge: type=1400 audit(0.0:17): avc:  denied  { call } for  scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0
12-03 07:12:26.424  4166  4166 W com.google.edge: type=1400 audit(0.0:254): avc:  denied  { call } for  scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0

Bug: 381787911
Flag: EXEMPT updates device sepolicy only
Change-Id: Id27ecd53e9ea7fbf273be098749cdaece55d00cb
---
 edgetpu/sepolicy/google_camera.te | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 edgetpu/sepolicy/google_camera.te

diff --git a/edgetpu/sepolicy/google_camera.te b/edgetpu/sepolicy/google_camera.te
new file mode 100644
index 0000000..0c3cd38
--- /dev/null
+++ b/edgetpu/sepolicy/google_camera.te
@@ -0,0 +1,5 @@
+# Allow tachyon service to communicate with google_camera_app via binder.
+binder_call(edgetpu_tachyon_server, google_camera_app);
+
+# Allow tachyon_service to communicate with fishfood/Eng camera variants via binder.
+binder_call(edgetpu_tachyon_server, debug_camera_app);