Improve camera HAL SELinux policy.

- Grant access to DMA system heap for Tuscany.
- Reorder statements for more logical grouping.
- Allow access to isolated tmpfs for google3 prebuilts.
- Remove fixed denials.

Bug: 181913550
Bug: 182705901
Test: Inspected logcat, no denials from hal_camera_default
Change-Id: I9bf1ce207c3bcae1b9f9ab0f0072bb7501201451

tracking_denials/hal_camera_default.te

@@ -1,29 +1,5 @@
 # b/178980085
 dontaudit hal_camera_default system_data_file:dir { search };
-dontaudit hal_camera_default system_data_file:dir { search };
 # b/180567725
 dontaudit hal_camera_default traced:unix_stream_socket { connectto };
-dontaudit hal_camera_default traced:unix_stream_socket { connectto };
 dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-dontaudit hal_camera_default traced_producer_socket:sock_file { write };
-# b/181913550
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
-# b/182705901
-dontaudit hal_camera_default tmpfs:file { getattr };
-dontaudit hal_camera_default tmpfs:file { read };
-dontaudit hal_camera_default edgetpu_server:binder { call };
-dontaudit hal_camera_default tmpfs:file { write };
-dontaudit hal_camera_default tmpfs:file { map };
-dontaudit hal_camera_default tmpfs:file { read };
-dontaudit hal_camera_default tmpfs:file { getattr };
-dontaudit hal_camera_default tmpfs:file { map };
-dontaudit hal_camera_default tmpfs:file { write };
-dontaudit hal_camera_default edgetpu_server:binder { call };
-dontaudit hal_camera_default edgetpu_service:service_manager { find };
-dontaudit hal_camera_default edgetpu_server:fd { use };
-dontaudit hal_camera_default edgetpu_server:fd { use };

whitechapel/vendor/google/hal_camera_default.te

@@ -1,34 +1,54 @@
+type hal_camera_default_tmpfs, file_type;
+
 allow hal_camera_default self:global_capability_class_set sys_nice;
 
 vndbinder_use(hal_camera_default);
 
-allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
-allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
-allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
-allow hal_camera_default vendor_camera_data_file:file create_file_perms;
 allow hal_camera_default lwis_device:chr_file rw_file_perms;
 allow hal_camera_default gpu_device:chr_file rw_file_perms;
-allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
-allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
-allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default sysfs_chip_id:file r_file_perms;
 
+# Tuscany (face auth) code that is part of the camera HAL needs to allocate
+# dma_bufs and access the Trusted Execution Environment device node
+allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_camera_default tee_device:chr_file rw_file_perms;
+
 # Allow the camera hal to access the EdgeTPU service and the
 # Android shared memory allocated by the EdgeTPU service for
 # on-device compilation.
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default edgetpu_server:fd use;
 allow hal_camera_default edgetpu_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_server)
 
+# Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:dir search;
 allow hal_camera_default persist_camera_file:dir search;
 allow hal_camera_default persist_camera_file:file r_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
+allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
 
+# Allow creating dump files for debugging in non-release builds
+userdebug_or_eng(`
+  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')
+
+# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
+# compiled into the shared libraries with cc_embed_data rules
+tmpfs_domain(hal_camera_default);
+
+# Allow access to camera-related system properties
 get_prop(hal_camera_default, vendor_camera_prop);
 get_prop(hal_camera_default, vendor_camera_debug_prop);
 
 hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer)
 hal_client_domain(hal_camera_default, hal_power);
 hal_client_domain(hal_camera_default, hal_thermal);
 
@@ -38,15 +58,3 @@ binder_call(hal_camera_default, system_server);
 # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
 allow hal_camera_default eco_service:service_manager find;
 binder_call(hal_camera_default, mediacodec);
-
-# grant access to hal_graphics_composer
-hal_client_domain(hal_camera_default, hal_graphics_composer)
-
-# grant access to Securea camera TA
-allow hal_camera_default tee_device:chr_file rw_file_perms;
-
-# For camera debugging
-userdebug_or_eng(`
-  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
-  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
-')