From 6004d5876013f786408647d22f481f68d7b2f7a8 Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Wed, 8 Dec 2021 13:19:38 +0800
Subject: [PATCH] label camera app

Bug: 209329856
Test: boot with google camera's label changed
Change-Id: Iff83bf8f42f9e6f9588fc5f45852a11608dc4445
---
 tracking_denials/priv_app.te         |  5 -----
 whitechapel_pro/certs/app.x509.pem   | 27 +++++++++++++++++++++++++++
 whitechapel_pro/google_camera_app.te |  4 ++++
 whitechapel_pro/keys.conf            |  3 +++
 whitechapel_pro/mac_permissions.xml  |  3 +++
 whitechapel_pro/seapp_contexts       |  4 ++++
 6 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 whitechapel_pro/certs/app.x509.pem
 create mode 100644 whitechapel_pro/google_camera_app.te

diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
index 6e133e5b..c966f4e6 100644
--- a/tracking_denials/priv_app.te
+++ b/tracking_denials/priv_app.te
@@ -2,8 +2,3 @@
 dontaudit priv_app vendor_default_prop:file { getattr };
 dontaudit priv_app vendor_default_prop:file { map };
 dontaudit priv_app vendor_default_prop:file { open };
-# b/209329856
-dontaudit priv_app vendor_apex_file:dir { search };
-dontaudit priv_app vendor_apex_file:file { getattr };
-dontaudit priv_app vendor_apex_file:file { open };
-dontaudit priv_app vendor_apex_file:file { read };
diff --git a/whitechapel_pro/certs/app.x509.pem b/whitechapel_pro/certs/app.x509.pem
new file mode 100644
index 00000000..8e3e6273
--- /dev/null
+++ b/whitechapel_pro/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te
new file mode 100644
index 00000000..df2e4699
--- /dev/null
+++ b/whitechapel_pro/google_camera_app.te
@@ -0,0 +1,4 @@
+type google_camera_app, domain, coredomain;
+app_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf
index c8154db0..80522c4e 100644
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@@ -1,3 +1,6 @@
+[@GOOGLE]
+ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem
+
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
 
diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml
index 6cb7113c..821f660c 100644
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@@ -21,6 +21,9 @@
       - The default tag is consulted last if needed.
 -->
     <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index a82cd82e..4abc2c39 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -49,3 +49,7 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom
 
 # Sub System Ramdump
 user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
+
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+