From 4a6cfb5a9cc46b6c2c1d456ca6874f9aa92bd085 Mon Sep 17 00:00:00 2001
From: Nishok Kumar S <nishok@google.com>
Date: Thu, 12 May 2022 06:33:22 +0000
Subject: [PATCH] Label GCA-Eng app

 - Add policies for GCA-Eng to access GXP device.
 - Allow GCA-Eng to access edgetpu service.

Test: Build selinux and test GCA-Eng on device with
      adb shell setprop camera.artemis_dsp TRUE

Bug: 230773733
Change-Id: I8d04f6e1aef0899b3862ddbb80174cd086156d92
---
 edgetpu/debug_camera_app.te               |  5 +++++
 whitechapel_pro/certs/camera_eng.x509.pem | 17 +++++++++++++++++
 whitechapel_pro/debug_camera_app.te       | 18 ++++++++++++++++++
 whitechapel_pro/keys.conf                 |  3 +++
 whitechapel_pro/mac_permissions.xml       |  3 +++
 whitechapel_pro/seapp_contexts            |  3 +++
 6 files changed, 49 insertions(+)
 create mode 100644 edgetpu/debug_camera_app.te
 create mode 100644 whitechapel_pro/certs/camera_eng.x509.pem
 create mode 100644 whitechapel_pro/debug_camera_app.te

diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te
new file mode 100644
index 00000000..44382239
--- /dev/null
+++ b/edgetpu/debug_camera_app.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+	# Allows GCA-Eng to find and access the EdgeTPU.
+	allow debug_camera_app edgetpu_app_service:service_manager find;
+	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+')
\ No newline at end of file
diff --git a/whitechapel_pro/certs/camera_eng.x509.pem b/whitechapel_pro/certs/camera_eng.x509.pem
new file mode 100644
index 00000000..011a9ec4
--- /dev/null
+++ b/whitechapel_pro/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/whitechapel_pro/debug_camera_app.te b/whitechapel_pro/debug_camera_app.te
new file mode 100644
index 00000000..7c14ef03
--- /dev/null
+++ b/whitechapel_pro/debug_camera_app.te
@@ -0,0 +1,18 @@
+type debug_camera_app, domain, coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows camera app to access the GXP device.
+	allow debug_camera_app gxp_device:chr_file rw_file_perms;
+
+	# Allows camera app to search for GXP firmware file.
+	allow debug_camera_app vendor_fw_file:dir search;
+')
\ No newline at end of file
diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf
index 80522c4e..e4247437 100644
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@@ -9,3 +9,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
 
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/camera_eng.x509.pem
diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml
index 821f660c..f1eb85e3 100644
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@@ -33,4 +33,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERAENG" >
+      <seinfo value="CameraEng" />
+    </signer>
 </policy>
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index f2fd47f9..22148b59 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -57,6 +57,9 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detecto
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
 # Domain for CatEngineService
 user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all