From ded0ee6c6ed4ae0e86dcb8742ebcf4c760d837da Mon Sep 17 00:00:00 2001 From: malikakash Date: Wed, 14 Feb 2024 21:57:50 +0000 Subject: [PATCH] Give EdgeTpu access to vendor_pcs_app - In addition, add some more allowances to more closely approximate a priv_app. Especially, accessing the cache, media storage and preloads. Bug: 325326355 Test: I've tested that existing PCS doesn't break. Change-Id: I045dd3e6d7587ba1bb405e57204d3cc7c9dc5f69 --- .../product/private/vendor_pcs_app.te | 20 +++++++++++++++++++ camera/sepolicy/vendor/vendor_pcs_app.te | 13 +++++++----- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/camera/sepolicy/product/private/vendor_pcs_app.te b/camera/sepolicy/product/private/vendor_pcs_app.te index 6bf0451..55eeee7 100644 --- a/camera/sepolicy/product/private/vendor_pcs_app.te +++ b/camera/sepolicy/product/private/vendor_pcs_app.te @@ -1,12 +1,32 @@ typeattribute vendor_pcs_app coredomain; app_domain(vendor_pcs_app); +net_domain(vendor_pcs_app); +bluetooth_domain(vendor_pcs_app); allow vendor_pcs_app { app_api_service audioserver_service cameraserver_service + drmserver_service mediametrics_service mediaserver_service + nfc_service radio_service }:service_manager find; + +# Following allowances were replicated from priv_app +# Write to /cache. +allow vendor_pcs_app { cache_file cache_recovery_file }:dir create_dir_perms; +allow vendor_pcs_app { cache_file cache_recovery_file }:file create_file_perms; +# /cache is a symlink to /data/cache on some devices. Allow reading the link. +allow vendor_pcs_app cache_file:lnk_file r_file_perms; + +# Access to /data/media. +allow vendor_pcs_app media_rw_data_file:dir create_dir_perms; +allow vendor_pcs_app media_rw_data_file:file create_file_perms; + +# Access to /data/preloads +r_dir_file(vendor_pcs_app, preloads_data_file) +r_dir_file(vendor_pcs_app, preloads_media_file) + diff --git a/camera/sepolicy/vendor/vendor_pcs_app.te b/camera/sepolicy/vendor/vendor_pcs_app.te index e269a2f..b4d71b5 100644 --- a/camera/sepolicy/vendor/vendor_pcs_app.te +++ b/camera/sepolicy/vendor/vendor_pcs_app.te @@ -1,14 +1,17 @@ -# Allow PCS to find the LyricConfigProvider service through ServiceManager. -allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find; -# Allow PCS to find the CameraIdRemapper service through ServiceManager. -allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find; +allow vendor_pcs_app { + vendor_camera_lyricconfigprovider_service + vendor_camera_cameraidremapper_service + edgetpu_app_service +}:service_manager find; allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add; binder_call(vendor_pcs_app, hal_pixel_remote_camera_service); - binder_call(vendor_pcs_app, hal_camera_default); +# Allow interacting with EdgeTpu. +allow vendor_pcs_app edgetpu_device:chr_file { getattr read write ioctl map }; + # Allow PCS to open socket connections for HTTP streaming support. allow vendor_pcs_app vendor_pcs_app:unpriv_socket_class_set create_socket_perms_no_ioctl; allow vendor_pcs_app fwmarkd_socket:sock_file write;