From 116b9d5ec1e5b711fddccfa3ff87e18dd5674a89 Mon Sep 17 00:00:00 2001
From: danhtn <danhtn@google.com>
Date: Thu, 5 Sep 2024 20:51:19 +0000
Subject: [PATCH 1/6] shamp: Update shared_modem_platform HAL version to 3

Bug: 322731425

ag/29120584 provides a new V3 version

Test: `atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest#HalIsServed/com_google_pixel_shared_modem_platform_ISharedModemPlatform_default_V1_84`
Flag: EXEMPT can't flag manifest changes

Change-Id: Ia91d7499f218a733906173e388a287cd591b8c01
---
 modem/shared_modem_platform/compatibility_matrix.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modem/shared_modem_platform/compatibility_matrix.xml b/modem/shared_modem_platform/compatibility_matrix.xml
index 66a58ce..14d987a 100644
--- a/modem/shared_modem_platform/compatibility_matrix.xml
+++ b/modem/shared_modem_platform/compatibility_matrix.xml
@@ -2,7 +2,7 @@
     <!-- Optional since older devices will not register any services. -->
     <hal format="aidl" optional="true">
         <name>com.google.pixel.shared_modem_platform</name>
-        <version>2</version>
+        <version>3</version>
         <interface>
             <name>ISharedModemPlatform</name>
             <instance>default</instance>

From 6265f1f2eb3ad89eefb0f340f77c9d41cc18f198 Mon Sep 17 00:00:00 2001
From: hwandy <hwandy@google.com>
Date: Thu, 5 Sep 2024 06:32:08 +0000
Subject: [PATCH 2/6] Add sepolicy for gcam app

Bug: b/359815606.
Bug: b/363018500.
Flag: EXEMPT bugfix.
Test: Locally built selinux policy and a local GCAEng (go/ab/12329728) and run GCAEng and saw selinux policy denial message gone.

AVC evidence from b/363018500:

    08-27 22:57:12.442   340   340 I auditd  : avc:  denied  { find } for pid=15696 uid=10286 name=activity scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=0

    08-27 21:35:58.954   332   332 I auditd  : avc:  denied  { find } for pid=4055 uid=10286 name=media.audio_policy scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:audioserver_service:s0 tclass=service_manager permissive=1

    08-27 21:34:50.138   332   332 I auditd  : avc:  denied  { find } for pid=4055 uid=10286 name=media.camera scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=1

    08-27 21:34:53.320   332   332 I auditd  : avc:  denied  { find } for pid=4055 uid=10286 name=media.extractor scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:mediaextractor_service:s0 tclass=service_manager permissive=1

    08-27 21:34:51.622   332   332 I auditd  : avc:  denied  { find } for pid=4055 uid=10286 name=media.metrics scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:mediametrics_service:s0 tclass=service_manager permissive=1

    08-27 21:35:59.012   332   332 I auditd  : avc:  denied  { find } for pid=4055 uid=10286 name=media.resource_manager scontext=u:r:debug_camera_app:s0:c30,c257,c512,c768 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager permissive=1

AVC evidence from go/ab/12328923:

09-06 11:16:24.421   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=netstats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
09-06 11:16:24.627   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=shortcut scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:shortcut_service:s0 tclass=service_manager permissive=1
09-06 11:16:24.812 17252 17252 I GoogleCameraEng: type=1400 audit(0.0:1091): avc:  denied  { read } for  name="enforce" dev="selinuxfs" ino=4 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:16:24.812 17252 17252 I GoogleCameraEng: type=1400 audit(0.0:1092): avc:  denied  { open } for  path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:16:25.222   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=content_capture scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
09-06 11:16:25.220 17252 17252 I RenderThread: type=1400 audit(0.0:1093): avc:  denied  { read } for  name="uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:16:25.220 17252 17252 I RenderThread: type=1400 audit(0.0:1094): avc:  denied  { open } for  path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:16:25.220 17252 17252 I RenderThread: type=1400 audit(0.0:1095): avc:  denied  { getattr } for  path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:16:25.877   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=voiceinteraction scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-06 11:16:25.902   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=autofill scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-06 11:16:25.920   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=sensitive_content_protection_service scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-06 11:16:25.928   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=performance_hint scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
09-06 11:16:26.060   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=clipboard scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:clipboard_service:s0 tclass=service_manager permissive=1
09-06 11:16:29.417   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=backup scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:backup_service:s0 tclass=service_manager permissive=1
09-06 11:16:29.484   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=android.frameworks.stats.IStats/default scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
09-06 11:17:01.249   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:01.306   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=package_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:package_native_service:s0 tclass=service_manager permissive=1
09-06 11:17:01.495   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=package_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:package_native_service:s0 tclass=service_manager permissive=1
09-06 11:17:02.330   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:05.916   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:07.826   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:09.579   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:10.580 17252 17252 I FinishThread: type=1400 audit(0.0:1164): avc:  denied  { read } for  name="gxp" dev="tmpfs" ino=1511 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:10.580 17252 17252 I FinishThread: type=1400 audit(0.0:1165): avc:  denied  { open } for  path="/dev/gxp" dev="tmpfs" ino=1511 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:10.580 17252 17252 I FinishThread: type=1400 audit(0.0:1166): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1511 ioctlcmd=0xee1a scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:10.580 17252 17252 I FinishThread: type=1400 audit(0.0:1167): avc:  denied  { write } for  name="gxp" dev="tmpfs" ino=1511 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:11.692   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:13.696 17252 17252 I FinishThread: type=1400 audit(0.0:1177): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1511 ioctlcmd=0xee00 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:15.443   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 11:17:20.159   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=uimode scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:uimode_service:s0 tclass=service_manager permissive=1
09-06 11:17:21.816 17252 17252 I FinishThread: type=1400 audit(0.0:1185): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1511 ioctlcmd=0xee00 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:36.508 17252 17252 I FinishThread: type=1400 audit(0.0:1189): avc:  denied  { ioctl } for  path="/dev/gxp" dev="tmpfs" ino=1511 ioctlcmd=0xee00 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gxp_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 11:17:54.854   328   328 E SELinux : avc:  denied  { find } for pid=17252 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1

09-06 15:38:05.817   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=netstats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.000   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=shortcut scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:shortcut_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.627   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=content_capture scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.634   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=gpu scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.640   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=activity_task scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.694   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=sensorservice scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.695   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=virtualdevice_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:virtual_device_native_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.728   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=device_policy scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:device_policy_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.730   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=batterystats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:batterystats_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.731   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=powerstats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:powerstats_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.788   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=trust scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=1
09-06 15:38:06.869   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=device_state scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:device_state_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.052   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=vibrator_manager scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:vibrator_manager_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.135   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=thermalservice scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.380   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=voiceinteraction scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.384   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=autofill scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.399   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=sensitive_content_protection_service scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.406   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=performance_hint scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
09-06 15:38:07.542   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=clipboard scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:clipboard_service:s0 tclass=service_manager permissive=1
09-06 15:38:10.834   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=backup scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:backup_service:s0 tclass=service_manager permissive=1
09-06 15:38:10.899   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=com.google.edgetpu.IEdgeTpuAppService/default scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_app_service:s0 tclass=service_manager permissive=1
09-06 15:38:10.913   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=android.frameworks.stats.IStats/default scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
09-06 15:38:27.247   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=android.hardware.neuralnetworks.IDevice/google-edgetpu scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_nnapi_service:s0 tclass=service_manager permissive=1
09-06 15:38:27.612   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 15:38:27.866   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=package_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:package_native_service:s0 tclass=service_manager permissive=1
09-06 15:38:58.145   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=uimode scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:uimode_service:s0 tclass=service_manager permissive=1
09-06 15:38:59.592 12740 12740 I SEnhWorker: type=1400 audit(0.0:430): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed1a scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:39:03.375   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=storagestats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:storagestats_service:s0 tclass=service_manager permissive=1
09-06 15:41:04.632 12740 12740 I RenderThread: type=1400 audit(0.0:470): avc:  denied  { read } for  name="uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:04.632 12740 12740 I RenderThread: type=1400 audit(0.0:471): avc:  denied  { open } for  path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:04.632 12740 12740 I RenderThread: type=1400 audit(0.0:472): avc:  denied  { getattr } for  path="/sys/devices/platform/34f00000.gpu0/uevent" dev="sysfs" ino=45203 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:04.769   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=autofill scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-06 15:41:05.188 12740 12740 I MicrovideoQShar: type=1400 audit(0.0:474): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed1a scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:17.532   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=legacy_permission scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:legacy_permission_service:s0 tclass=service_manager permissive=1
09-06 15:41:45.676 12740 12740 I MicrovideoQShar: type=1400 audit(0.0:535): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed1a scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:46.684 12740 12740 I GcaGeneric-4: type=1400 audit(0.0:540): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed19 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:41:48.288 12740 12740 I FinishThread: type=1400 audit(0.0:544): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed11 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:42:02.482   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 15:42:03.576 12740 12740 I GcaGeneric-4: type=1400 audit(0.0:565): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed19 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:42:06.947   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=voiceinteraction scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-06 15:42:06.955   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=sensitive_content_protection_service scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-06 15:42:07.652 12740 12740 I GcaGeneric-4: type=1400 audit(0.0:568): avc:  denied  { ioctl } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 ioctlcmd=0xed12 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1 app=com.google.android.GoogleCameraEng
09-06 15:42:08.903   343   343 E SELinux : avc:  denied  { find } for pid=12740 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 16:58:35.741   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=gpu scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
09-06 16:58:35.759   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=activity_task scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.142   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=sensorservice scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.142   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=virtualdevice_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:virtual_device_native_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.265   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=device_policy scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:device_policy_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.344   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=batterystats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:batterystats_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.344   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=trust scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:trust_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.345   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=powerstats scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:powerstats_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.436   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=device_state scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:device_state_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.610   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=vibrator_manager scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:vibrator_manager_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.640   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=thermalservice scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:thermal_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.785   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=android.hardware.neuralnetworks.IDevice/google-edgetpu scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_nnapi_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.944   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=voiceinteraction scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.946   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=autofill scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.955   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=sensitive_content_protection_service scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
09-06 16:58:36.962   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=performance_hint scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
09-06 16:58:37.147   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=clipboard scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:clipboard_service:s0 tclass=service_manager permissive=1
09-06 16:58:37.374  6263  6263 I binder:6263_6: type=1400 audit(0.0:2483): avc:  denied  { open } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=392 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 16:58:37.374  6263  6263 I binder:6263_6: type=1400 audit(0.0:2484): avc:  denied  { getattr } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=392 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 16:58:37.374  6263  6263 I binder:6263_6: type=1400 audit(0.0:2485): avc:  denied  { map } for  path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=392 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
09-06 16:58:37.547   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=audio scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
09-06 16:58:37.949   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=backup scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:backup_service:s0 tclass=service_manager permissive=1
09-06 16:58:38.733   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=android.frameworks.stats.IStats/default scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=1
09-06 16:58:38.737   338   338 E SELinux : avc:  denied  { find } for pid=6263 uid=10289 name=package_native scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:package_native_service:s0 tclass=service_manager permissive=1

09-06 17:18:32.828   697   697 I binder:697_2: type=1400 audit(0.0:1275): avc:  denied  { read write } for  path="/dev/edgetpu-soc" dev="tmpfs" ino=1511 scontext=u:r:debug_camera_app:s0:c33,c257,c512,c768 tcontext=u:object_r:edgetpu_device:s0 tclass=chr_file permissive=1

Change-Id: I243f6242968fdc24478e923e8d30e529939b8a57
---
 gcam_app/gcam.mk                              |  8 +++++
 .../product/private/debug_camera_app.te       | 29 ++++++++++++++++
 .../product/private/google_camera_app.te      | 17 ++++++++++
 .../sepolicy/product/private/seapp_contexts   | 12 +++++++
 .../product/public/debug_camera_app.te        |  2 ++
 .../product/public/google_camera_app.te       |  2 ++
 gcam_app/sepolicy/vendor/certs/app.x509.pem   | 27 +++++++++++++++
 .../sepolicy/vendor/certs/camera_eng.x509.pem | 17 ++++++++++
 .../vendor/certs/camera_fishfood.x509.pem     | 15 ++++++++
 gcam_app/sepolicy/vendor/debug_camera_app.te  | 16 +++++++++
 gcam_app/sepolicy/vendor/google_camera_app.te | 13 +++++++
 gcam_app/sepolicy/vendor/keys.conf            |  8 +++++
 gcam_app/sepolicy/vendor/mac_permissions.xml  | 34 +++++++++++++++++++
 13 files changed, 200 insertions(+)
 create mode 100644 gcam_app/gcam.mk
 create mode 100644 gcam_app/sepolicy/product/private/debug_camera_app.te
 create mode 100644 gcam_app/sepolicy/product/private/google_camera_app.te
 create mode 100644 gcam_app/sepolicy/product/private/seapp_contexts
 create mode 100644 gcam_app/sepolicy/product/public/debug_camera_app.te
 create mode 100644 gcam_app/sepolicy/product/public/google_camera_app.te
 create mode 100644 gcam_app/sepolicy/vendor/certs/app.x509.pem
 create mode 100644 gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
 create mode 100644 gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
 create mode 100644 gcam_app/sepolicy/vendor/debug_camera_app.te
 create mode 100644 gcam_app/sepolicy/vendor/google_camera_app.te
 create mode 100644 gcam_app/sepolicy/vendor/keys.conf
 create mode 100644 gcam_app/sepolicy/vendor/mac_permissions.xml

diff --git a/gcam_app/gcam.mk b/gcam_app/gcam.mk
new file mode 100644
index 0000000..38c7b69
--- /dev/null
+++ b/gcam_app/gcam.mk
@@ -0,0 +1,8 @@
+# vendor
+BOARD_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy/vendor
+
+# product
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/gcam_app/sepolicy//product/private
+
+PRODUCT_PACKAGES += GoogleCamera
diff --git a/gcam_app/sepolicy/product/private/debug_camera_app.te b/gcam_app/sepolicy/product/private/debug_camera_app.te
new file mode 100644
index 0000000..4402e55
--- /dev/null
+++ b/gcam_app/sepolicy/product/private/debug_camera_app.te
@@ -0,0 +1,29 @@
+# GCANext and GCAEng.
+# b/363018500
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app activity_service:service_manager find;
+	allow debug_camera_app activity_task_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app batterystats_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app device_policy_service:service_manager find;
+	allow debug_camera_app device_state_service:service_manager find;
+	allow debug_camera_app gpu_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+	allow debug_camera_app powerstats_service:service_manager find;
+	allow debug_camera_app sensorservice_service:service_manager find;
+	allow debug_camera_app thermal_service:service_manager find;
+	allow debug_camera_app trust_service:service_manager find;
+	allow debug_camera_app vibrator_manager_service:service_manager find;
+	allow debug_camera_app virtual_device_native_service:service_manager find;
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/gcam_app/sepolicy/product/private/google_camera_app.te b/gcam_app/sepolicy/product/private/google_camera_app.te
new file mode 100644
index 0000000..a4c7a79
--- /dev/null
+++ b/gcam_app/sepolicy/product/private/google_camera_app.te
@@ -0,0 +1,17 @@
+# GCARelease and GCADogfood.
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+#allow google_camera_app app_api_service:service_manager find;
+#allow google_camera_app audioserver_service:service_manager find;
+#allow google_camera_app cameraserver_service:service_manager find;
+#allow google_camera_app mediaextractor_service:service_manager find;
+#allow google_camera_app mediametrics_service:service_manager find;
+#allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/gcam_app/sepolicy/product/private/seapp_contexts b/gcam_app/sepolicy/product/private/seapp_contexts
new file mode 100644
index 0000000..9ba54b7
--- /dev/null
+++ b/gcam_app/sepolicy/product/private/seapp_contexts
@@ -0,0 +1,12 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+
diff --git a/gcam_app/sepolicy/product/public/debug_camera_app.te b/gcam_app/sepolicy/product/public/debug_camera_app.te
new file mode 100644
index 0000000..0572eee
--- /dev/null
+++ b/gcam_app/sepolicy/product/public/debug_camera_app.te
@@ -0,0 +1,2 @@
+# GCA-Eng and GCA-Next
+type debug_camera_app, domain;
diff --git a/gcam_app/sepolicy/product/public/google_camera_app.te b/gcam_app/sepolicy/product/public/google_camera_app.te
new file mode 100644
index 0000000..a8d6512
--- /dev/null
+++ b/gcam_app/sepolicy/product/public/google_camera_app.te
@@ -0,0 +1,2 @@
+# GCA-Release and GCA-Dogfood
+type google_camera_app, domain;
diff --git a/gcam_app/sepolicy/vendor/certs/app.x509.pem b/gcam_app/sepolicy/vendor/certs/app.x509.pem
new file mode 100644
index 0000000..8e3e627
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
diff --git a/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem b/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
new file mode 100644
index 0000000..011a9ec
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem b/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
new file mode 100644
index 0000000..fb11572
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/gcam_app/sepolicy/vendor/debug_camera_app.te b/gcam_app/sepolicy/vendor/debug_camera_app.te
new file mode 100644
index 0000000..8cac086
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/debug_camera_app.te
@@ -0,0 +1,16 @@
+# GCANext and GCAEng.
+userdebug_or_eng(`
+    # Allows GCA-Eng & GCA-Next access the GXP device and properties.
+    allow debug_camera_app gxp_device:chr_file rw_file_perms;
+    get_prop(debug_camera_app, vendor_gxp_prop)
+
+    # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+    allow debug_camera_app edgetpu_app_service:service_manager find;
+    allow debug_camera_app edgetpu_device:chr_file { read write ioctl };
+    # Cannot find avc evidence for below.
+    # allow debug_camera_app edgetpu_device:chr_file { getattr map };
+
+    # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
+    # allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
+')
+
diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te
new file mode 100644
index 0000000..81f91ac
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/google_camera_app.te
@@ -0,0 +1,13 @@
+# GCARelease and GCADogfood.
+
+# Allows GCA to acccess the GXP device & properties.
+#allow google_camera_app gxp_device:chr_file rw_file_perms;
+get_prop(google_camera_app, vendor_gxp_prop)
+
+# Allows GCA to find and access the EdgeTPU.
+#allow google_camera_app edgetpu_app_service:service_manager find;
+#allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows GCA to access the hw_jpeg /dev/video12.
+#allow google_camera_app hw_jpg_device:chr_file rw_file_perms;
+
diff --git a/gcam_app/sepolicy/vendor/keys.conf b/gcam_app/sepolicy/vendor/keys.conf
new file mode 100644
index 0000000..92e5ae2
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/keys.conf
@@ -0,0 +1,8 @@
+[@GOOGLE]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/gs-common/gcam_app/sepolicy/vendor/certs/camera_fishfood.x509.pem
diff --git a/gcam_app/sepolicy/vendor/mac_permissions.xml b/gcam_app/sepolicy/vendor/mac_permissions.xml
new file mode 100644
index 0000000..12d9b1a
--- /dev/null
+++ b/gcam_app/sepolicy/vendor/mac_permissions.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
+    <signer signature="@CAMERAENG" >
+      <seinfo value="CameraEng" />
+    </signer>
+    <signer signature="@CAMERAFISHFOOD" >
+      <seinfo value="CameraFishFood" />
+    </signer>
+
+</policy>

From 9b9bee2c1a7846471bf03aefd91f516582be7e50 Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Mon, 9 Sep 2024 10:31:14 +0800
Subject: [PATCH 3/6] Storage: add sepolicy for recovery mode

avc:  denied  { search } for  pid=286 comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=100643 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1
avc:  denied  { getattr } for  pid=286 comm="fsck.f2fs" path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda10/partition" dev="sysfs" ino=102318 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1
avc:  denied  { read } for  pid=286 comm="fsck.f2fs" name="zoned" dev="sysfs" ino=101014 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1
avc:  denied  { open } for  pid=286 comm="fsck.f2fs" path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=101014 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1
avc:  denied  { read } for  pid=340 comm="fsck.f2fs" name="sda1" dev="tmpfs" ino=1060 scontext=u:r:fsck:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=0
avc:  denied  { read write } for  pid=340 comm="fsck.f2fs" name="sda1" dev="tmpfs" ino=1060 scontext=u:r:fsck:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=0

Bug: 361093433
Test: factory data reset
Change-Id: Idce44f75e8ef6f3e381fcdaa8c29831747ee0ecd
Signed-off-by: Randall Huang <huangrandall@google.com>
---
 storage/sepolicy/fsck.te     | 1 +
 storage/sepolicy/recovery.te | 6 ++++++
 2 files changed, 7 insertions(+)
 create mode 100644 storage/sepolicy/recovery.te

diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te
index 7369bb4..6502995 100644
--- a/storage/sepolicy/fsck.te
+++ b/storage/sepolicy/fsck.te
@@ -4,4 +4,5 @@ allow fsck efs_block_device:blk_file rw_file_perms;
 allow fsck modem_userdata_block_device:blk_file rw_file_perms;
 allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
 allow fsck sysfs_scsi_devices_0000:file r_file_perms;
+allow fsck persist_block_device:blk_file rw_file_perms;
 
diff --git a/storage/sepolicy/recovery.te b/storage/sepolicy/recovery.te
new file mode 100644
index 0000000..7b34bb8
--- /dev/null
+++ b/storage/sepolicy/recovery.te
@@ -0,0 +1,6 @@
+# factory data reset
+recovery_only(`
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+')
+

From 69c69b2609fccda9dbd34329978efdcec19b40bb Mon Sep 17 00:00:00 2001
From: Randall Huang <huangrandall@google.com>
Date: Mon, 9 Sep 2024 12:42:24 +0800
Subject: [PATCH 4/6] storage: fix ota selinux error

avc:  denied  { read write } for  pid=281 comm="update_engine_s" name="boot_lun_enabled" dev="sysfs" ino=99875 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1
avc:  denied  { open } for  pid=281 comm="update_engine_s" path="/sys/devices/platform/3c400000.ufs/pixel/boot_lun_enabled" dev="sysfs" ino=99875 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1

Bug: 361093433
Test: OTA sideload
Change-Id: I7c92346d7ab08597d612e798d2252768eed124a2
Signed-off-by: Randall Huang <huangrandall@google.com>
---
 storage/sepolicy/recovery.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/storage/sepolicy/recovery.te b/storage/sepolicy/recovery.te
index 7b34bb8..8f5556c 100644
--- a/storage/sepolicy/recovery.te
+++ b/storage/sepolicy/recovery.te
@@ -1,5 +1,6 @@
 # factory data reset
 recovery_only(`
+  allow recovery sysfs_ota:file rw_file_perms;
   allow recovery sysfs_scsi_devices_0000:file r_file_perms;
   allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
 ')

From db15a0bcf20275a26eef0d51d55cb8edfbd1ee44 Mon Sep 17 00:00:00 2001
From: Nishok Kumar S <nishok@google.com>
Date: Mon, 2 Sep 2024 10:28:25 +0000
Subject: [PATCH 5/6] Add sepolicy for NNAPI HAL to access
 hal_graphics_allocator_service, This is required for AHardwareBuffer
 allocation.

Attached avc error log in commit message:

E SELinux : avc:  denied  { find } for pid=820 uid=1000 name=android.hardware.graphics.allocator.IAllocator/default scontext=u:r:hal_neuralnetworks_darwinn:s0 tcontext=u:object_r:hal_graphics_allocator_service:s0 tclass=service_manager permissive=0

Bug: 361711471
Test: Flash private build, run CTS NNAPI tests.
Change-Id: I7850bd0c64974180cee206bfc43c25b70fac3f79
---
 edgetpu/sepolicy/hal_neuralnetworks_darwinn.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
index 3b2cd4f..abdbcd7 100644
--- a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
@@ -1,3 +1,4 @@
+# Sepolicies for EdgeTPU
 type hal_neuralnetworks_darwinn, domain;
 hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)
 
@@ -62,3 +63,8 @@ get_prop(hal_neuralnetworks_darwinn, vendor_hetero_runtime_prop)
 # Allow DMA Buf access.
 allow hal_neuralnetworks_darwinn dmabuf_system_heap_device:chr_file r_file_perms;
 
+# Allows the NNAPI HAL to access the graphics_allocator_service.
+# This is required for shared memory buffer allocation.
+# Context:- b/361711471.
+hal_client_domain(hal_neuralnetworks_darwinn, hal_graphics_allocator);
+allow hal_neuralnetworks_darwinn hal_graphics_allocator_service:service_manager find;

From 6902f81e2d7ab5a63016189d44e81b8f32776389 Mon Sep 17 00:00:00 2001
From: Robert Lee <lerobert@google.com>
Date: Tue, 10 Sep 2024 08:53:52 +0000
Subject: [PATCH 6/6] audio: allow set_prop for vendor_audio_prop_restricted

Bug: 338910843
Test: manual test
Flag: EXEMPT sepolicy
Change-Id: Id8ad088512aca6cc939c25b5d747fbedeb4cd479
Signed-off-by: Robert Lee <lerobert@google.com>
---
 audio/sepolicy/common/hal_audio_default.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/audio/sepolicy/common/hal_audio_default.te b/audio/sepolicy/common/hal_audio_default.te
index fac4f1a..f6e0e5d 100644
--- a/audio/sepolicy/common/hal_audio_default.te
+++ b/audio/sepolicy/common/hal_audio_default.te
@@ -1,3 +1,4 @@
+# allow access to folders
 allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
 allow hal_audio_default audio_vendor_data_file:file create_file_perms;
 
@@ -23,6 +24,7 @@ allow hal_audio_default sysfs_aoc_boottime:file r_file_perms;
 allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms;
 
 set_prop(hal_audio_default, vendor_audio_prop);
+set_prop(hal_audio_default, vendor_audio_prop_restricted);
 
 hal_client_domain(hal_audio_default, hal_health);
 hal_client_domain(hal_audio_default, hal_thermal);