Add required sepolicy rules for Camera function

Bug: 218499972 Test: Switch to Enforcing mode Take a picture, camera recording Change-Id: I57f3e8454ece6906624f028b7a3771ffddcaa963
2022-02-10 01:56:02 +08:00 · 2022-02-10 01:56:02 +08:00 · 9cc70410c5
commit 9cc70410c5
parent cd4f508c92
10 changed files with 20 additions and 3 deletions
--- a/tracking_denials/google_camera_app.te
+++ b/tracking_denials/google_camera_app.te
@ -1,10 +1,8 @@
 # b/209889068
 dontaudit google_camera_app cameraserver_service:service_manager { find };
 dontaudit google_camera_app edgetpu_app_service:service_manager { find };
 dontaudit google_camera_app edgetpu_device:chr_file { ioctl };
 dontaudit google_camera_app edgetpu_device:chr_file { map };
 dontaudit google_camera_app edgetpu_device:chr_file { read write };
 dontaudit google_camera_app mediaserver_service:service_manager { find };
 dontaudit google_camera_app vendor_default_prop:file { getattr };
 dontaudit google_camera_app vendor_default_prop:file { map };
 dontaudit google_camera_app vendor_default_prop:file { open };
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@ -44,6 +44,7 @@ type sysfs_mfc, sysfs_type, fs_type;
 type sysfs_cpu, sysfs_type, fs_type;
 type sysfs_odpm, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
 type sysfs_camera, sysfs_type, fs_type;
 # debugfs
 type debugfs_f2fs, debugfs_type, fs_type;
--- a/whitechapel_pro/genfs_contexts
+++ b/whitechapel_pro/genfs_contexts
@ -48,6 +48,7 @@ genfscon sysfs /devices/platform/28000000.mali/hint_min_freq                   u
 # Fabric
 genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq  u:object_r:sysfs_fabric:s0
 genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq  u:object_r:sysfs_fabric:s0
 # sscoredump (per device)
 genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count                                   u:object_r:sysfs_sscoredump_subsystem_report_count:s0
@ -203,3 +204,7 @@ genfscon sysfs /devices/platform/100a0000.BIG                             u:obje
 genfscon sysfs /devices/platform/100a0000.ISP                             u:object_r:sysfs_thermal:s0
 genfscon sysfs /devices/platform/100b0000.G3D                             u:object_r:sysfs_thermal:s0
 genfscon sysfs /devices/platform/100b0000.TPU                             u:object_r:sysfs_thermal:s0
 # Camera
 genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq    u:object_r:sysfs_camera:s0
 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq          u:object_r:sysfs_camera:s0
--- a/whitechapel_pro/google_camera_app.te
+++ b/whitechapel_pro/google_camera_app.te
@ -2,3 +2,8 @@ type google_camera_app, domain, coredomain;
 app_domain(google_camera_app)
 allow google_camera_app app_api_service:service_manager find;
 allow google_camera_app audioserver_service:service_manager find;
 allow google_camera_app cameraserver_service:service_manager find;
 allow google_camera_app mediaextractor_service:service_manager find;
 allow google_camera_app mediametrics_service:service_manager find;
 allow google_camera_app mediaserver_service:service_manager find;
--- a/whitechapel_pro/hal_camera_default.te
+++ b/whitechapel_pro/hal_camera_default.te
@ -60,6 +60,7 @@ binder_call(hal_camera_default, system_server);
 # Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
 allow hal_camera_default eco_service:service_manager find;
 binder_call(hal_camera_default, mediacodec);
 binder_call(hal_camera_default, mediacodec_samsung);
 # Allow camera HAL to query preferred camera frequencies from the radio HAL
 # extensions to avoid interference with cellular antennas.
--- a/whitechapel_pro/hal_graphics_allocator_default.te
+++ b/whitechapel_pro/hal_graphics_allocator_default.te
@ -0,0 +1 @@
 allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
--- a/whitechapel_pro/hal_graphics_composer_default.te
+++ b/whitechapel_pro/hal_graphics_composer_default.te
@ -1,6 +1,8 @@
 # allow HWC to access power hal
 hal_client_domain(hal_graphics_composer_default, hal_power)
 hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
 # allow HWC to access vendor_displaycolor_service
 add_service(hal_graphics_composer_default, vendor_displaycolor_service)
--- a/whitechapel_pro/hal_power_default.te
+++ b/whitechapel_pro/hal_power_default.te
@ -5,4 +5,5 @@ allow hal_power_default sysfs_display:file rw_file_perms;
 allow hal_power_default sysfs_vendor_sched:file r_file_perms;
 allow hal_power_default sysfs_gpu:file rw_file_perms;
 allow hal_power_default sysfs_fabric:file rw_file_perms;
-set_prop(hal_power_default, vendor_camera_prop)
+allow hal_power_default sysfs_camera:file rw_file_perms;
 set_prop(hal_power_default, vendor_camera_prop)
--- a/whitechapel_pro/mediacodec_samsung.te
+++ b/whitechapel_pro/mediacodec_samsung.te
@ -17,6 +17,8 @@ allow mediacodec_samsung sysfs_mfc:dir r_dir_perms;
 # can use graphics allocator
 hal_client_domain(mediacodec_samsung, hal_graphics_allocator)
 binder_call(mediacodec_samsung, hal_camera_default)
 crash_dump_fallback(mediacodec_samsung)
 # mediacodec_samsung should never execute any executable without a domain transition
--- a/whitechapel_pro/system_server.te
+++ b/whitechapel_pro/system_server.te
@ -0,0 +1 @@
 binder_call(system_server, hal_camera_default);
		`@ -0,0 +1 @@`
							`allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;`
		`@ -0,0 +1 @@`
							`binder_call(system_server, hal_camera_default);`