From cb2c9c91c1549b16c5c6d51411d3d4ab9f528ff7 Mon Sep 17 00:00:00 2001
From: timmyli <timmyli@google.com>
Date: Tue, 5 Nov 2024 21:39:34 +0000
Subject: [PATCH] Consolidate gca permissions inside gs-common

SeLinux team is making an effort to have a general set of permissions
inside gs-common for GCA as oppose to having a new google_camera_app.te
for each device generation. Move the next gen permissions to the gs-common.

Bug: 361092857
Test: manual test to check permissions
Flag: EXEMPT add permissions

11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:665): avc:  denied  { read write } for  name="gxp" dev="tmpfs" ino=1545 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera
11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:666): avc:  denied  { open } for  path="/dev/gxp" dev="tmpfs" ino=1545 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera
11-05 16:28:30.048  5720  5720 I FinishThread: type=1400 audit(0.0:667): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1545 ioctlcmd=0xee06 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera

11-05 16:15:05.062   332   332 E SELinux : avc:  denied  { find } for pid=5586 uid=10155 name=com.google.edgetpu.IEdgeTpuAppService/default scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:edgetpu_app_service:s0 tclass=service_manager permissive=1
11-05 16:15:06.356  5586  5586 I frame-quality-s: type=1400 audit(0.0:554): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1542 ioctlcmd=0xed23 scontext=u:r:google_camera_app:s0:c155,c256,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCamera

Change-Id: Ie38edbf7e2fecf6bc45605a947ad6fc63d4f4378
---
 gcam_app/sepolicy/vendor/google_camera_app.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te
index 81f91ac..3f5a0ec 100644
--- a/gcam_app/sepolicy/vendor/google_camera_app.te
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@@ -1,12 +1,12 @@
 # GCARelease and GCADogfood.
 
 # Allows GCA to acccess the GXP device & properties.
-#allow google_camera_app gxp_device:chr_file rw_file_perms;
+allow google_camera_app gxp_device:chr_file rw_file_perms;
 get_prop(google_camera_app, vendor_gxp_prop)
 
 # Allows GCA to find and access the EdgeTPU.
-#allow google_camera_app edgetpu_app_service:service_manager find;
-#allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { ioctl };
 
 # Allows GCA to access the hw_jpeg /dev/video12.
 #allow google_camera_app hw_jpg_device:chr_file rw_file_perms;